github-mirrors/thirdparty-miniz
1
0
Fork 0
mirror of https://github.com/eledio-devices/thirdparty-miniz.git synced 2025-10-31 16:14:16 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix out of bounds read while reading Zip64 extended information

Browse Source
This commit is contained in:
Martin
2018-11-11 19:11:47 +01:00
parent f8600923fc
commit 9ce0d0ddff
1 changed files with 33 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
miniz_zip.c
View File

@@ -748,7 +748,27 @@ static mz_bool mz_zip_reader_read_central_dir(mz_zip_archive *pZip, mz_uint flag
if (extra_size_remaining) if (extra_size_remaining)
{ {
const mz_uint8 *pExtra_data = p + MZ_ZIP_CENTRAL_DIR_HEADER_SIZE + filename_size; const mz_uint8 *pExtra_data;
void* buf = NULL;
if (MZ_ZIP_CENTRAL_DIR_HEADER_SIZE + filename_size + ext_data_size > n)
{
buf = MZ_MALLOC(ext_data_size);
if(buf==NULL)
return mz_zip_set_error(pZip, MZ_ZIP_ALLOC_FAILED);
if (pZip->m_pRead(pZip->m_pIO_opaque, cdir_ofs + MZ_ZIP_CENTRAL_DIR_HEADER_SIZE + filename_size, buf, ext_data_size) != ext_data_size)
{
MZ_FREE(buf);
return mz_zip_set_error(pZip, MZ_ZIP_FILE_READ_FAILED);
}
pExtra_data = buf;
}
else
{
pExtra_data = p + MZ_ZIP_CENTRAL_DIR_HEADER_SIZE + filename_size;
}
do do
{ {
@@ -756,13 +776,19 @@ static mz_bool mz_zip_reader_read_central_dir(mz_zip_archive *pZip, mz_uint flag
mz_uint32 field_data_size; mz_uint32 field_data_size;
if (extra_size_remaining < (sizeof(mz_uint16) * 2)) if (extra_size_remaining < (sizeof(mz_uint16) * 2))
{
MZ_FREE(buf);
return mz_zip_set_error(pZip, MZ_ZIP_INVALID_HEADER_OR_CORRUPTED); return mz_zip_set_error(pZip, MZ_ZIP_INVALID_HEADER_OR_CORRUPTED);
}
field_id = MZ_READ_LE16(pExtra_data); field_id = MZ_READ_LE16(pExtra_data);
field_data_size = MZ_READ_LE16(pExtra_data + sizeof(mz_uint16)); field_data_size = MZ_READ_LE16(pExtra_data + sizeof(mz_uint16));
if ((field_data_size + sizeof(mz_uint16) * 2) > extra_size_remaining) if ((field_data_size + sizeof(mz_uint16) * 2) > extra_size_remaining)
{
MZ_FREE(buf);
return mz_zip_set_error(pZip, MZ_ZIP_INVALID_HEADER_OR_CORRUPTED); return mz_zip_set_error(pZip, MZ_ZIP_INVALID_HEADER_OR_CORRUPTED);
}
if (field_id == MZ_ZIP64_EXTENDED_INFORMATION_FIELD_HEADER_ID) if (field_id == MZ_ZIP64_EXTENDED_INFORMATION_FIELD_HEADER_ID)
{ {
@@ -775,6 +801,8 @@ static mz_bool mz_zip_reader_read_central_dir(mz_zip_archive *pZip, mz_uint flag
pExtra_data += sizeof(mz_uint16) * 2 + field_data_size; pExtra_data += sizeof(mz_uint16) * 2 + field_data_size;
extra_size_remaining = extra_size_remaining - sizeof(mz_uint16) * 2 - field_data_size; extra_size_remaining = extra_size_remaining - sizeof(mz_uint16) * 2 - field_data_size;
} while (extra_size_remaining); } while (extra_size_remaining);
MZ_FREE(buf);
} }
} }