From 0a35ab97fae6fb9acecab46b570c14e3be1646e7 Mon Sep 17 00:00:00 2001
From: Peter Kaestle <peter@piie.net>
Date: Wed, 5 Mar 2025 15:34:44 +0100
Subject: [PATCH] unzip/bsdunzip.c: fix NULL ptr dereference issue inside
 list()

Fix CVE-2025-1632 by detecting NULL return of archive_entry_pathname()
and replacing it by "INVALID PATH" string.

Error poc: https://github.com/Ekkosun/pocs/blob/main/bsdunzip-poc

Signed-off-by: Peter Kaestle <peter@piie.net>
---
 unzip/bsdunzip.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/unzip/bsdunzip.c b/unzip/bsdunzip.c
index 7c8cafc3e..4a9028b79 100644
--- a/unzip/bsdunzip.c
+++ b/unzip/bsdunzip.c
@@ -876,6 +876,7 @@ list(struct archive *a, struct archive_entry *e)
 	char buf[20];
 	time_t mtime;
 	struct tm *tm;
+	const char *pathname;
 
 	mtime = archive_entry_mtime(e);
 	tm = localtime(&mtime);
@@ -884,22 +885,25 @@ list(struct archive *a, struct archive_entry *e)
 	else
 		strftime(buf, sizeof(buf), "%m-%d-%g %R", tm);
 
+	pathname = archive_entry_pathname(e);
+	if (!pathname)
+		pathname = "";
 	if (!zipinfo_mode) {
 		if (v_opt == 1) {
 			printf(" %8ju  %s   %s\n",
 			    (uintmax_t)archive_entry_size(e),
-			    buf, archive_entry_pathname(e));
+			    buf, pathname);
 		} else if (v_opt == 2) {
 			printf("%8ju  Stored  %7ju   0%%  %s  %08x  %s\n",
 			    (uintmax_t)archive_entry_size(e),
 			    (uintmax_t)archive_entry_size(e),
 			    buf,
 			    0U,
-			    archive_entry_pathname(e));
+			    pathname);
 		}
 	} else {
 		if (Z1_opt)
-			printf("%s\n",archive_entry_pathname(e));
+			printf("%s\n", pathname);
 	}
 	ac(archive_read_data_skip(a));
 }