diff options
Diffstat (limited to 'data/unzip/debian/patches/20-cve-2018-1000035-unzip-buffer-overflow.patch')
| -rw-r--r-- | data/unzip/debian/patches/20-cve-2018-1000035-unzip-buffer-overflow.patch | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/data/unzip/debian/patches/20-cve-2018-1000035-unzip-buffer-overflow.patch b/data/unzip/debian/patches/20-cve-2018-1000035-unzip-buffer-overflow.patch new file mode 100644 index 000000000..10ae0302f --- /dev/null +++ b/data/unzip/debian/patches/20-cve-2018-1000035-unzip-buffer-overflow.patch @@ -0,0 +1,35 @@ +From: Karol Babioch <kbabioch@suse.com> +Subject: Fix buffer overflow in password protected zip archives +Bug-Debian: https://bugs.debian.org/889838 +Origin: https://bugzilla.novell.com/attachment.cgi?id=759406 + +--- a/fileio.c ++++ b/fileio.c +@@ -1582,6 +1582,10 @@ + int r = IZ_PW_ENTERED; + char *m; + char *prompt; ++ char *zfnf; ++ char *efnf; ++ size_t zfnfl; ++ int isOverflow; + + #ifndef REENTRANT + /* tell picky compilers to shut up about "unused variable" warnings */ +@@ -1590,7 +1594,15 @@ + + if (*rcnt == 0) { /* First call for current entry */ + *rcnt = 2; +- if ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL) { ++ zfnf = FnFilter1(zfn); ++ efnf = FnFilter2(efn); ++ zfnfl = strlen(zfnf); ++ isOverflow = TRUE; ++ if (2*FILNAMSIZ >= zfnfl && (2*FILNAMSIZ - zfnfl) >= strlen(efnf)) ++ { ++ isOverflow = FALSE; ++ } ++ if ((isOverflow == FALSE) && ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL)) { + sprintf(prompt, LoadFarString(PasswPrompt), + FnFilter1(zfn), FnFilter2(efn)); + m = prompt; |