-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
107 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,106 @@ | ||
From: YOKOTA Hiroshi <yokota.hgml@gmail.com> | ||
Date: Fri, 21 Jul 2023 00:33:42 +0900 | ||
Subject: CVE-2023-40477 | ||
|
||
--- | ||
getbits.cpp | 8 ++++---- | ||
pathfn.cpp | 2 +- | ||
recvol3.cpp | 11 +++++++++-- | ||
secpassword.cpp | 8 ++++---- | ||
4 files changed, 18 insertions(+), 11 deletions(-) | ||
|
||
diff --git a/getbits.cpp b/getbits.cpp | ||
index 8805f27..5d5ad2b 100644 | ||
--- a/getbits.cpp | ||
+++ b/getbits.cpp | ||
@@ -5,11 +5,11 @@ BitInput::BitInput(bool AllocBuffer) | ||
ExternalBuffer=false; | ||
if (AllocBuffer) | ||
{ | ||
- // getbits*() attempt to read data from InAddr, ... InAddr+3 positions. | ||
- // So let's allocate 3 additional bytes for situation, when we need to | ||
+ // getbits*() attempt to read data from InAddr, ... InAddr+4 positions. | ||
+ // So let's allocate 4 additional bytes for situation, when we need to | ||
// read only 1 byte from the last position of buffer and avoid a crash | ||
- // from access to next 3 bytes, which contents we do not need. | ||
- size_t BufSize=MAX_SIZE+3; | ||
+ // from access to next 4 bytes, which contents we do not need. | ||
+ size_t BufSize=MAX_SIZE+4; | ||
InBuf=new byte[BufSize]; | ||
|
||
// Ensure that we get predictable results when accessing bytes in area | ||
diff --git a/pathfn.cpp b/pathfn.cpp | ||
index 49d16a8..7a54354 100644 | ||
--- a/pathfn.cpp | ||
+++ b/pathfn.cpp | ||
@@ -746,7 +746,7 @@ static void GenArcName(wchar *ArcName,size_t MaxSize,const wchar *GenerateMask,u | ||
// Here we ensure that we have enough 'N' characters to fit all digits | ||
// of archive number. We'll replace them by actual number later | ||
// in this function. | ||
- if (NCount<Digits) | ||
+ if (NCount<Digits && wcslen(Mask)+Digits-NCount<ASIZE(Mask)) | ||
{ | ||
wmemmove(Mask+I+Digits,Mask+I+NCount,wcslen(Mask+I+NCount)+1); | ||
wmemset(Mask+I,'N',Digits); | ||
diff --git a/recvol3.cpp b/recvol3.cpp | ||
index ecf6dd3..0138d0f 100644 | ||
--- a/recvol3.cpp | ||
+++ b/recvol3.cpp | ||
@@ -226,7 +226,7 @@ bool RecVolumes3::Restore(CommandData *Cmd,const wchar *Name,bool Silent) | ||
if (WrongParam) | ||
continue; | ||
} | ||
- if (P[1]+P[2]>255) | ||
+ if (P[0]<=0 || P[1]<=0 || P[2]<=0 || P[1]+P[2]>255 || P[0]+P[2]-1>255) | ||
continue; | ||
if (RecVolNumber!=0 && RecVolNumber!=P[1] || FileNumber!=0 && FileNumber!=P[2]) | ||
{ | ||
@@ -238,7 +238,14 @@ bool RecVolumes3::Restore(CommandData *Cmd,const wchar *Name,bool Silent) | ||
wcsncpyz(PrevName,CurName,ASIZE(PrevName)); | ||
File *NewFile=new File; | ||
NewFile->TOpen(CurName); | ||
- SrcFile[FileNumber+P[0]-1]=NewFile; | ||
+ | ||
+ // This check is redundant taking into account P[I]>255 and P[0]+P[2]-1>255 | ||
+ // checks above. Still we keep it here for better clarity and security. | ||
+ int SrcPos=FileNumber+P[0]-1; | ||
+ if (SrcPos<0 || SrcPos>=ASIZE(SrcFile)) | ||
+ continue; | ||
+ SrcFile[SrcPos]=NewFile; | ||
+ | ||
FoundRecVolumes++; | ||
|
||
if (RecFileSize==0) | ||
diff --git a/secpassword.cpp b/secpassword.cpp | ||
index 42ed47d..08da549 100644 | ||
--- a/secpassword.cpp | ||
+++ b/secpassword.cpp | ||
@@ -70,7 +70,7 @@ void SecPassword::Clean() | ||
{ | ||
PasswordSet=false; | ||
if (Password.size()>0) | ||
- cleandata(&Password[0],Password.size()); | ||
+ cleandata(&Password[0],Password.size()*sizeof(Password[0])); | ||
} | ||
|
||
|
||
@@ -141,7 +141,7 @@ size_t SecPassword::Length() | ||
wchar Plain[MAXPASSWORD]; | ||
Get(Plain,ASIZE(Plain)); | ||
size_t Length=wcslen(Plain); | ||
- cleandata(Plain,ASIZE(Plain)); | ||
+ cleandata(Plain,sizeof(Plain)); | ||
return Length; | ||
} | ||
|
||
@@ -156,8 +156,8 @@ bool SecPassword::operator == (SecPassword &psw) | ||
Get(Plain1,ASIZE(Plain1)); | ||
psw.Get(Plain2,ASIZE(Plain2)); | ||
bool Result=wcscmp(Plain1,Plain2)==0; | ||
- cleandata(Plain1,ASIZE(Plain1)); | ||
- cleandata(Plain2,ASIZE(Plain2)); | ||
+ cleandata(Plain1,sizeof(Plain1)); | ||
+ cleandata(Plain2,sizeof(Plain2)); | ||
return Result; | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters