1From 190040ebfcf5395a6ccedede2cc9343d34f0a108 Mon Sep 17 00:00:00 2001 2From: mancha <mancha1 AT zoho DOT com> 3Date: Wed, 11 Feb 2015 4Subject: Info-ZIP UnZip buffer overflow 5 6Upstream-Status: Backport 7CVE: CVE-2014-9636 8 9By carefully crafting a corrupt ZIP archive with "extra fields" that 10purport to have compressed blocks larger than the corresponding 11uncompressed blocks in STORED no-compression mode, an attacker can 12trigger a heap overflow that can result in application crash or 13possibly have other unspecified impact. 14 15This patch ensures that when extra fields use STORED mode, the 16"compressed" and uncompressed block sizes match. 17 18Signed-off-by: mancha <mancha1 AT zoho DOT com> 19--- 20 extract.c | 8 ++++++++ 21 1 file changed, 8 insertions(+) 22 23--- a/extract.c 24+++ b/extract.c 25@@ -2217,6 +2217,7 @@ static int test_compr_eb(__G__ eb, eb_si 26 ulg eb_ucsize; 27 uch *eb_ucptr; 28 int r; 29+ ush method; 30 31 if (compr_offset < 4) /* field is not compressed: */ 32 return PK_OK; /* do nothing and signal OK */ 33@@ -2226,6 +2227,13 @@ static int test_compr_eb(__G__ eb, eb_si 34 eb_size <= (compr_offset + EB_CMPRHEADLEN))) 35 return IZ_EF_TRUNC; /* no compressed data! */ 36 37+ method = makeword(eb + (EB_HEADSIZE + compr_offset)); 38+ if ((method == STORED) && 39+ (eb_size - compr_offset - EB_CMPRHEADLEN != eb_ucsize)) 40+ return PK_ERR; /* compressed & uncompressed 41+ * should match in STORED 42+ * method */ 43+ 44 if ( 45 #ifdef INT_16BIT 46 (((ulg)(extent)eb_ucsize) != eb_ucsize) || 47