-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
100 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,99 @@ | ||
From: YOKOTA Hiroshi <yokota.hgml@gmail.com> | ||
Date: Fri, 21 Jul 2023 00:33:42 +0900 | ||
Subject: CVE-2023-40477 | ||
|
||
aka. ZDI-23-1152 | ||
https://www.zerodayinitiative.com/advisories/ZDI-23-1152/ | ||
--- | ||
getbits.cpp | 8 ++++---- | ||
pathfn.cpp | 2 +- | ||
recvol3.cpp | 11 +++++++++-- | ||
secpassword.cpp | 6 +++--- | ||
4 files changed, 17 insertions(+), 10 deletions(-) | ||
|
||
diff --git a/getbits.cpp b/getbits.cpp | ||
index e4db269..5d5ad2b 100644 | ||
--- a/getbits.cpp | ||
+++ b/getbits.cpp | ||
@@ -5,11 +5,11 @@ BitInput::BitInput(bool AllocBuffer) | ||
ExternalBuffer=false; | ||
if (AllocBuffer) | ||
{ | ||
- // getbits32 attempts to read data from InAddr, ... InAddr+3 positions. | ||
- // So let's allocate 3 additional bytes for situation, when we need to | ||
+ // getbits*() attempt to read data from InAddr, ... InAddr+4 positions. | ||
+ // So let's allocate 4 additional bytes for situation, when we need to | ||
// read only 1 byte from the last position of buffer and avoid a crash | ||
- // from access to next 3 bytes, which contents we do not need. | ||
- size_t BufSize=MAX_SIZE+3; | ||
+ // from access to next 4 bytes, which contents we do not need. | ||
+ size_t BufSize=MAX_SIZE+4; | ||
InBuf=new byte[BufSize]; | ||
|
||
// Ensure that we get predictable results when accessing bytes in area | ||
diff --git a/pathfn.cpp b/pathfn.cpp | ||
index 32d2408..cce8f92 100644 | ||
--- a/pathfn.cpp | ||
+++ b/pathfn.cpp | ||
@@ -700,7 +700,7 @@ static void GenArcName(wchar *ArcName,const wchar *GenerateMask,uint ArcNumber,b | ||
// Here we ensure that we have enough 'N' characters to fit all digits | ||
// of archive number. We'll replace them by actual number later | ||
// in this function. | ||
- if (NCount<Digits) | ||
+ if (NCount<Digits && wcslen(Mask)+Digits-NCount<ASIZE(Mask)) | ||
{ | ||
wmemmove(Mask+I+Digits,Mask+I+NCount,wcslen(Mask+I+NCount)+1); | ||
wmemset(Mask+I,'N',Digits); | ||
diff --git a/recvol3.cpp b/recvol3.cpp | ||
index 0d18f07..d6e2f79 100644 | ||
--- a/recvol3.cpp | ||
+++ b/recvol3.cpp | ||
@@ -226,7 +226,7 @@ bool RecVolumes3::Restore(RAROptions *Cmd,const wchar *Name,bool Silent) | ||
if (WrongParam) | ||
continue; | ||
} | ||
- if (P[1]+P[2]>255) | ||
+ if (P[0]<=0 || P[1]<=0 || P[2]<=0 || P[1]+P[2]>255 || P[0]+P[2]-1>255) | ||
continue; | ||
if (RecVolNumber!=0 && RecVolNumber!=P[1] || FileNumber!=0 && FileNumber!=P[2]) | ||
{ | ||
@@ -238,7 +238,14 @@ bool RecVolumes3::Restore(RAROptions *Cmd,const wchar *Name,bool Silent) | ||
wcscpy(PrevName,CurName); | ||
File *NewFile=new File; | ||
NewFile->TOpen(CurName); | ||
- SrcFile[FileNumber+P[0]-1]=NewFile; | ||
+ | ||
+ // This check is redundant taking into account P[I]>255 and P[0]+P[2]-1>255 | ||
+ // checks above. Still we keep it here for better clarity and security. | ||
+ int SrcPos=FileNumber+P[0]-1; | ||
+ if (SrcPos<0 || SrcPos>=ASIZE(SrcFile)) | ||
+ continue; | ||
+ SrcFile[SrcPos]=NewFile; | ||
+ | ||
FoundRecVolumes++; | ||
|
||
if (RecFileSize==0) | ||
diff --git a/secpassword.cpp b/secpassword.cpp | ||
index 4865b3f..04296a6 100644 | ||
--- a/secpassword.cpp | ||
+++ b/secpassword.cpp | ||
@@ -142,7 +142,7 @@ size_t SecPassword::Length() | ||
wchar Plain[MAXPASSWORD]; | ||
Get(Plain,ASIZE(Plain)); | ||
size_t Length=wcslen(Plain); | ||
- cleandata(Plain,ASIZE(Plain)); | ||
+ cleandata(Plain,sizeof(Plain)); | ||
return Length; | ||
} | ||
|
||
@@ -157,8 +157,8 @@ bool SecPassword::operator == (SecPassword &psw) | ||
Get(Plain1,ASIZE(Plain1)); | ||
psw.Get(Plain2,ASIZE(Plain2)); | ||
bool Result=wcscmp(Plain1,Plain2)==0; | ||
- cleandata(Plain1,ASIZE(Plain1)); | ||
- cleandata(Plain2,ASIZE(Plain2)); | ||
+ cleandata(Plain1,sizeof(Plain1)); | ||
+ cleandata(Plain2,sizeof(Plain2)); | ||
return Result; | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,4 @@ | ||
fix-buildflags | ||
CVE-2022-30333.diff | ||
CVE-2022-48579.patch | ||
CVE-2023-40477.patch |