Skip to content
Permalink
Browse files

Fix a crash condition due invalid ZIP data

  • Loading branch information...
amadvance committed Feb 12, 2018
1 parent ea4f30c commit 7deeafc02b29cc51d51079e66f4f43f986ff9cc5
Showing with 26 additions and 11 deletions.
  1. +2 −1 HISTORY
  2. +3 −1 doc/history.1
  3. +2 −1 doc/history.d
  4. +2 −1 doc/history.txt
  5. +15 −5 zip.cc
  6. +2 −2 zip.h
@@ -3,10 +3,11 @@
=======================


ADVANCECOMP VERSION 2.1 2018/01
ADVANCECOMP VERSION 2.1 2018/02
===============================

* Support ZIPs with data descriptor signature.
* Fixed a crash condition with invalid ZIP data.


ADVANCECOMP VERSION 2.0 2017/06
@@ -1,10 +1,12 @@
.TH "History For AdvanceCOMP" 1
.SH NAME
advcomp \- History For AdvanceCOMP
.SH ADVANCECOMP VERSION 2.1 2018/01
.SH ADVANCECOMP VERSION 2.1 2018/02
.PD 0
.IP \(bu
Support ZIPs with data descriptor signature.
.IP \(bu
Fixed a crash condition with invalid ZIP data.
.PD
.SH ADVANCECOMP VERSION 2.0 2017/06
.PD 0
@@ -1,8 +1,9 @@
Name
advcomp - History For AdvanceCOMP

AdvanceCOMP Version 2.1 2018/01
AdvanceCOMP Version 2.1 2018/02
) Support ZIPs with data descriptor signature.
) Fixed a crash condition with invalid ZIP data.

AdvanceCOMP Version 2.0 2017/06
) Added support for reading MNG files with depth of 1, 2, and 4 bits.
@@ -3,10 +3,11 @@
=======================


ADVANCECOMP VERSION 2.1 2018/01
ADVANCECOMP VERSION 2.1 2018/02
===============================

* Support ZIPs with data descriptor signature.
* Fixed a crash condition with invalid ZIP data.


ADVANCECOMP VERSION 2.0 2017/06
20 zip.cc
@@ -456,13 +456,15 @@ string zip_entry::name_get() const
}

/** Check central directory entry. */
void zip_entry::check_cent(const unsigned char* buf) const
void zip_entry::check_cent(const unsigned char* buf, unsigned buf_size) const
{
if (buf_size < ZIP_CO_FIXED) {
throw error_invalid() << "Invalid central directory data";
}
// check signature
if (le_uint32_read(buf+ZIP_CO_central_file_header_signature) != ZIP_C_signature) {
throw error_invalid() << "Invalid central directory signature";
}

// check filename_length > 0, can't exist a file without a name
if (le_uint16_read(buf+ZIP_CO_filename_length) == 0) {
throw error_invalid() << "Empty filename in central directory";
@@ -679,11 +681,11 @@ void zip_entry::save_local(FILE* f)
* \param buf Fixed size cent dir.
* \param f File seeked after the fixed size cent dir.
*/
void zip_entry::load_cent(const unsigned char* buf, unsigned& skip)
void zip_entry::load_cent(const unsigned char* buf, unsigned buf_size, unsigned& skip)
{
const unsigned char* o_buf = buf;

check_cent(buf);
check_cent(buf, buf_size);

// read header
info.version_made_by = le_uint8_read(buf+ZIP_CO_version_made_by);
@@ -705,6 +707,14 @@ void zip_entry::load_cent(const unsigned char* buf, unsigned& skip)
info.relative_offset_of_local_header = le_uint32_read(buf+ZIP_CO_relative_offset_of_local_header);
buf += ZIP_CO_FIXED;

if (buf_size < info.filename_length
|| buf_size < info.central_extra_field_length
|| buf_size < info.file_comment_length
|| buf_size < ZIP_CO_FIXED + info.filename_length + info.central_extra_field_length + info.file_comment_length
) {
throw error_invalid() << "Invalid central directory data";
}

// read filename
data_free(file_name);
file_name = data_alloc(info.filename_length);
@@ -853,7 +863,7 @@ void zip::open()

unsigned skip = 0;
try {
i->load_cent(data + data_pos, skip);
i->load_cent(data + data_pos, data_size - data_pos, skip);
} catch (...) {
map.erase(i);
throw;
4 zip.h
@@ -192,7 +192,7 @@ class zip_entry {
unsigned char* central_extra_field;
unsigned char* data;

void check_cent(const unsigned char* buf) const;
void check_cent(const unsigned char* buf, unsigned buf_size) const;
void check_local(const unsigned char* buf) const;
void check_descriptor(const unsigned char* buf) const;

@@ -208,7 +208,7 @@ class zip_entry {

void load_local(const unsigned char* buf, FILE* f, unsigned size);
void save_local(FILE* f);
void load_cent(const unsigned char* buf, unsigned& skip);
void load_cent(const unsigned char* buf, unsigned size, unsigned& skip);
void save_cent(FILE* f);
void unload();

0 comments on commit 7deeafc

Please sign in to comment.
You can’t perform that action at this time.