Skip to content
Permalink
Tree: 6519bf0f8a
Commits on Jun 13, 2019
Commits on Jun 12, 2019
  1. Detect and reject a zip bomb using overlapped entries.

    madler committed Jun 12, 2019
    This detects an invalid zip file that has at least one entry that
    overlaps with another entry or with the central directory to the
    end of the file. A Fifield zip bomb uses overlapped local entries
    to vastly increase the potential inflation ratio. Such an invalid
    zip file is rejected.
    
    See https://www.bamsoftware.com/hacks/zipbomb/ for David Fifield's
    analysis, construction, and examples of such zip bombs.
    
    The detection maintains a list of covered spans of the zip files
    so far, where the central directory to the end of the file and any
    bytes preceding the first entry at zip file offset zero are
    considered covered initially. Then as each entry is decompressed
    or tested, it is considered covered. When a new entry is about to
    be processed, its initial offset is checked to see if it is
    contained by a covered span. If so, the zip file is rejected as
    invalid.
    
    This commit depends on a preceding commit: "Fix bug in
    undefer_input() that misplaced the input state."
  2. Add .gitignore.

    madler committed May 26, 2019
  3. Clean up warnings.

    madler committed May 24, 2019
    Use (void)var to mark var as used, instead of var = var. The
    intent of the self assignment was to avoid a warning, but it ends
    up invoking a different warning.
    
    Turn off security warnings for a potentially mutable string being
    given as the format string to sprintf(). Though only on macosx
    unix targets. All of the strings provided are in fact not mutable,
    but this fact is hidden from the compiler due to the strings being
    extern in a different object file.
Commits on May 24, 2019
  1. UnZip 6.0

    madler committed May 24, 2019
You can’t perform that action at this time.