Added a maxSize of the EOCD constructor to detect corruption in the E…

…OCD and to avoid reading over end of file
xrootd · Jul 19, 2022 · 28b1dfd · 28b1dfd
1 parent dd1e712
commit 28b1dfd
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 3 deletions.
diff --git a/src/XrdCl/XrdClZipArchive.cc b/src/XrdCl/XrdClZipArchive.cc
@@ -321,10 +321,18 @@ namespace XrdCl
                                                             "End-of-central-directory signature not found." );
                                         Pipeline::Stop( error );
                                       }
-                                      eocd.reset( new EOCD( eocdBlock ) );
+                                      try{
+                                      eocd.reset( new EOCD( eocdBlock, chunk.length - (eocdBlock - buff) ) );
                                       log->Dump( ZipMsg, "[0x%x] EOCD record parsed: %s", this,
                                                          eocd->ToString().c_str() );
-
+                                      if(eocd->cdOffset > archsize || eocd->cdOffset + eocd->cdSize > archsize)
+                                    	  throw bad_data();
+                                      }
+                                      catch(const bad_data &ex){
+                                    	  XRootDStatus error( stError, errDataError, 0,
+                                    	               "End-of-central-directory signature corrupted." );
+                                    	  Pipeline::Stop( error );
+                                      }
                                       // Do we have the whole archive?
                                       if( chunk.length == archsize )
                                       {

diff --git a/src/XrdZip/XrdZipEOCD.hh b/src/XrdZip/XrdZipEOCD.hh
@@ -51,7 +51,7 @@ namespace XrdZip
     //-------------------------------------------------------------------------
     //! Constructor from buffer
     //-------------------------------------------------------------------------
-    EOCD( const char *buffer )
+    EOCD( const char *buffer, uint32_t maxSize = 0 )
     {
       nbDisk        = *reinterpret_cast<const uint16_t*>( buffer + 4 );
       nbDiskCd      = *reinterpret_cast<const uint16_t*>( buffer + 6 );
@@ -60,6 +60,8 @@ namespace XrdZip
       cdSize        = *reinterpret_cast<const uint32_t*>( buffer + 12 );
       cdOffset      = *reinterpret_cast<const uint32_t*>( buffer + 16 );
       commentLength = *reinterpret_cast<const uint16_t*>( buffer + 20 );
+      if(maxSize > 0 && (uint32_t)(eocdBaseSize + commentLength) > maxSize)
+    	  throw bad_data();
       comment       = std::string( buffer + 22, commentLength );
 
       eocdSize = eocdBaseSize + commentLength;