packages/unzip
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix cve 2019-13232

Browse Source
This commit is contained in:
wsp1991 2020-03-02 21:33:36 +08:00 committed by Gitee
parent 7910a379b7
commit 675c835d46
4 changed files with 822 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

111
CVE-2019-13232-fur1.patch
View File

@ -0,0 +1,111 @@
From 6d351831be705cc26d897db44f878a978f4138fc Mon Sep 17 00:00:00 2001
From: Mark Adler <madler@alumni.caltech.edu>
Date: Thu, 25 Jul 2019 20:43:17 -0700
Subject: [PATCH] Do not raise a zip bomb alert for a misplaced central
directory.
There is a zip-like file in the Firefox distribution, omni.ja,
which is a zip container with the central directory placed at the
start of the file instead of after the local entries as required
by the zip standard. This commit marks the actual location of the
central directory, as well as the end of central directory records,
as disallowed locations. This now permits such containers to not
raise a zip bomb alert, where in fact there are no overlaps.
---
extract.c | 25 +++++++++++++++++++------
process.c | 6 ++++++
unzpriv.h | 10 ++++++++++
3 files changed, 35 insertions(+), 6 deletions(-)
diff --git a/extract.c b/extract.c
index 0973a33..1b73cb0 100644
--- a/extract.c
+++ b/extract.c
@@ -493,8 +493,11 @@ int extract_or_test_files(__G) /* return PK-type error code */
}
#endif /* !SFX || SFX_EXDIR */
- /* One more: initialize cover structure for bomb detection. Start with a
- span that covers the central directory though the end of the file. */
+ /* One more: initialize cover structure for bomb detection. Start with
+ spans that cover any extra bytes at the start, the central directory,
+ the end of central directory record (including the Zip64 end of central
+ directory locator, if present), and the Zip64 end of central directory
+ record, if present. */
if (G.cover == NULL) {
G.cover = malloc(sizeof(cover_t));
if (G.cover == NULL) {
@@ -506,15 +509,25 @@ int extract_or_test_files(__G) /* return PK-type error code */
((cover_t *)G.cover)->max = 0;
}
((cover_t *)G.cover)->num = 0;
- if ((G.extra_bytes != 0 &&
- cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) ||
- cover_add((cover_t *)G.cover,
+ if (cover_add((cover_t *)G.cover,
G.extra_bytes + G.ecrec.offset_start_central_directory,
- G.ziplen) != 0) {
+ G.extra_bytes + G.ecrec.offset_start_central_directory +
+ G.ecrec.size_central_directory) != 0) {
Info(slide, 0x401, ((char *)slide,
LoadFarString(NotEnoughMemCover)));
return PK_MEM;
}
+ if ((G.extra_bytes != 0 &&
+ cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) ||
+ (G.ecrec.have_ecr64 &&
+ cover_add((cover_t *)G.cover, G.ecrec.ec64_start,
+ G.ecrec.ec64_end) != 0) ||
+ cover_add((cover_t *)G.cover, G.ecrec.ec_start,
+ G.ecrec.ec_end) != 0) {
+ Info(slide, 0x401, ((char *)slide,
+ LoadFarString(OverlappedComponents)));
+ return PK_BOMB;
+ }
/*---------------------------------------------------------------------------
The basic idea of this function is as follows. Since the central di-
diff --git a/process.c b/process.c
index d2e4dc3..d75d405 100644
--- a/process.c
+++ b/process.c
@@ -1408,6 +1408,10 @@ static int find_ecrec64(__G__ searchlen) /* return PK-class error */
/* Now, we are (almost) sure that we have a Zip64 archive. */
G.ecrec.have_ecr64 = 1;
+ G.ecrec.ec_start -= ECLOC64_SIZE+4;
+ G.ecrec.ec64_start = ecrec64_start_offset;
+ G.ecrec.ec64_end = ecrec64_start_offset +
+ 12 + makeint64(&byterec[ECREC64_LENGTH]);
/* Update the "end-of-central-dir offset" for later checks. */
G.real_ecrec_offset = ecrec64_start_offset;
@@ -1542,6 +1546,8 @@ static int find_ecrec(__G__ searchlen) /* return PK-class error */
makelong(&byterec[OFFSET_START_CENTRAL_DIRECTORY]);
G.ecrec.zipfile_comment_length =
makeword(&byterec[ZIPFILE_COMMENT_LENGTH]);
+ G.ecrec.ec_start = G.real_ecrec_offset;
+ G.ecrec.ec_end = G.ecrec.ec_start + 22 + G.ecrec.zipfile_comment_length;
/* Now, we have to read the archive comment, BEFORE the file pointer
is moved away backwards to seek for a Zip64 ECLOC64 structure.
diff --git a/unzpriv.h b/unzpriv.h
index dc9eff5..297b3c7 100644
--- a/unzpriv.h
+++ b/unzpriv.h
@@ -2185,6 +2185,16 @@ typedef struct VMStimbuf {
int have_ecr64; /* valid Zip64 ecdir-record exists */
int is_zip64_archive; /* Zip64 ecdir-record is mandatory */
ush zipfile_comment_length;
+ zusz_t ec_start, ec_end; /* offsets of start and end of the
+ end of central directory record,
+ including if present the Zip64
+ end of central directory locator,
+ which immediately precedes the
+ end of central directory record */
+ zusz_t ec64_start, ec64_end; /* if have_ecr64 is true, then these
+ are the offsets of the start and
+ end of the Zip64 end of central
+ directory record */
} ecdir_rec;

337
CVE-2019-13232-fur2.patch
View File

@ -0,0 +1,337 @@
From b701988480151e6693343ecdb246092824604c61 Mon Sep 17 00:00:00 2001
From: wangshouping <wangshouping@huawei.com>
Date: Tue, 11 Feb 2020 19:07:28 -0500
Subject: [PATCH] add param to limit the number of overlap files
Signed-off-by: wangshouping <wangshouping@huawei.com>
---
extract.c | 114 ++++++++++++++++++++++++++++++++++++++++++++++--------------
man/unzip.1 | 8 +++--
unzip.c | 84 +++++++++++++++++++++++++++++++++++++++-----
unzip.h | 1 +
unzip.txt | 6 +++-
5 files changed, 176 insertions(+), 37 deletions(-)
diff --git a/extract.c b/extract.c
index 3a01d13..031efdb 100644
--- a/extract.c
+++ b/extract.c
@@ -340,23 +340,32 @@ typedef struct {
span_t *span; /* allocated, distinct, and sorted list of spans */
size_t num; /* number of spans in the list */
size_t max; /* allocated number of spans (num <= max) */
+ unsigned long count;
} cover_t;
/*
* Return the index of the first span in cover whose beg is greater than val.
* If there is no such span, then cover->num is returned.
*/
-static size_t cover_find(cover, val)
+static size_t cover_find(cover, val, op)
cover_t *cover;
bound_t val;
+ int op;
{
size_t lo = 0, hi = cover->num;
+ bound_t tmp_val;
while (lo < hi) {
size_t mid = (lo + hi) >> 1;
- if (val < cover->span[mid].beg)
- hi = mid;
- else
- lo = mid + 1;
+ if (!op) {
+ tmp_val = cover->span[mid].beg;
+ } else {
+ tmp_val = cover->span[mid].end;
+ }
+ if (val < tmp_val) {
+ hi = mid;
+ } else {
+ lo = mid + 1;
+ }
}
return hi;
}
@@ -366,10 +375,16 @@ static int cover_within(cover, val)
cover_t *cover;
bound_t val;
{
- size_t pos = cover_find(cover, val);
+ size_t pos = cover_find(cover, val, 0);
return pos > 0 && val < cover->span[pos - 1].end;
}
+static int is_exceed_max_overlaps(cover, val)
+ cover_t *cover;
+{
+ return cover->count >= G.UzO.max_overlaps;
+}
+
/*
* Add a new span to the list, but only if the new span does not overlap any
* spans already in the list. The new span covers the values beg..end-1. beg
@@ -387,7 +402,8 @@ static int cover_add(cover, beg, end)
bound_t beg;
bound_t end;
{
- size_t pos;
+ size_t pos_beg;
+ size_t pos_end;
int prec, foll;
if (beg >= end)
@@ -396,31 +412,76 @@ static int cover_add(cover, beg, end)
/* Find where the new span should go, and make sure that it does not
overlap with any existing spans. */
- pos = cover_find(cover, beg);
- if ((pos > 0 && beg < cover->span[pos - 1].end) ||
- (pos < cover->num && end > cover->span[pos].beg))
- return 1;
+ pos_beg = cover_find(cover, beg, 0);
+ pos_end = cover_find(cover, end, 1);
/* Check for adjacencies. */
- prec = pos > 0 && beg == cover->span[pos - 1].end;
- foll = pos < cover->num && end == cover->span[pos].beg;
+ prec = pos_beg > 0 && beg <= cover->span[pos_beg - 1].end;
+ foll = pos_beg < cover->num && end >= cover->span[pos_beg].beg;
if (prec && foll) {
+ if (beg < cover->span[pos_beg - 1].end || end > cover->span[pos_beg].beg) {
+ cover->count++;
+ }
+
/* The new span connects the preceding and following spans. Merge the
following span into the preceding span, and delete the following
span. */
- cover->span[pos - 1].end = cover->span[pos].end;
- cover->num--;
- memmove(cover->span + pos, cover->span + pos + 1,
- (cover->num - pos) * sizeof(span_t));
+ if (end <= cover->span[pos_beg].end) {
+ cover->span[pos_beg - 1].end = cover->span[pos_beg].end;
+ cover->num--;
+ memmove(cover->span + pos_beg, cover->span + pos_beg + 1,
+ (cover->num - pos_beg) * sizeof(span_t));
+ } else {
+ if (pos_end == cover->num) {
+ cover->span[pos_beg - 1].end = end;
+ cover->num = cover->num - (pos_end - pos_beg);
+ } else if (end >= cover->span[pos_end].beg) {
+ cover->span[pos_beg - 1].end = cover->span[pos_end].end;
+ memmove(cover->span + pos_beg, cover->span + pos_end + 1,
+ (cover->num - 1 - pos_end) * sizeof(span_t));
+ cover->num = cover->num - (pos_end - pos_beg) - 1;
+ } else {
+ cover->span[pos_beg - 1].end = end;
+ memmove(cover->span + pos_beg, cover->span + pos_end,
+ (cover->num - 1 - pos_end + 1) * sizeof(span_t));
+ cover->num = cover->num - (pos_end - pos_beg);
+ }
+ }
}
- else if (prec)
+ else if (prec) {
/* The new span is adjacent only to the preceding span. Extend the end
of the preceding span. */
- cover->span[pos - 1].end = end;
- else if (foll)
+ if (beg < cover->span[pos_beg - 1].end) {
+ cover->count++;
+ }
+ if (end > cover->span[pos_beg - 1].end) {
+ cover->span[pos_beg - 1].end = end;
+ }
+ }
+ else if (foll) {
+ if (end > cover->span[pos_beg].beg) {
+ cover->count++;
+ }
/* The new span is adjacent only to the following span. Extend the
beginning of the following span. */
- cover->span[pos].beg = beg;
+ cover->span[pos_beg].beg = beg;
+ if (end > cover->span[pos_beg].end) {
+ if (pos_end == cover->num) {
+ cover->span[pos_beg].end = end;
+ cover->num = cover->num - (pos_end - pos_beg) + 1;
+ } else if (end >= cover->span[pos_end].beg) {
+ cover->span[pos_beg].end = cover->span[pos_end].end;
+ memmove(cover->span + pos_beg + 1, cover->span + pos_end + 1,
+ (cover->num - 1 - pos_end) * sizeof(span_t));
+ cover->num = cover->num - (pos_end - pos_beg);
+ } else {
+ cover->span[pos_beg].end = end;
+ memmove(cover->span + pos_beg + 1, cover->span + pos_end,
+ (cover->num - 1 - pos_end + 1) * sizeof(span_t));
+ cover->num = cover->num - (pos_end - pos_beg) + 1;
+ }
+ }
+ }
else {
/* The new span has gaps between both the preceding and the following
spans. Assure that there is room and insert the span. */
@@ -432,11 +493,11 @@ static int cover_add(cover, beg, end)
cover->span = span;
cover->max = max;
}
- memmove(cover->span + pos + 1, cover->span + pos,
- (cover->num - pos) * sizeof(span_t));
+ memmove(cover->span + pos_beg + 1, cover->span + pos_beg,
+ (cover->num - pos_beg) * sizeof(span_t));
cover->num++;
- cover->span[pos].beg = beg;
- cover->span[pos].end = end;
+ cover->span[pos_beg].beg = beg;
+ cover->span[pos_beg].end = end;
}
return 0;
}
@@ -511,6 +572,7 @@ int extract_or_test_files(__G) /* return PK-type error code */
((cover_t *)G.cover)->max = 0;
}
((cover_t *)G.cover)->num = 0;
+ ((cover_t *)G.cover)->count = 0;
if (cover_add((cover_t *)G.cover,
G.extra_bytes + G.ecrec.offset_start_central_directory,
G.extra_bytes + G.ecrec.offset_start_central_directory +
@@ -1218,7 +1280,7 @@ static int extract_or_test_entrylist(__G__ numchunk,
/* seek_zipf(__G__ pInfo->offset); */
request = G.pInfo->offset + G.extra_bytes;
- if (cover_within((cover_t *)G.cover, request)) {
+ if (is_exceed_max_overlaps((cover_t *)G.cover)) {
Info(slide, 0x401, ((char *)slide,
LoadFarString(OverlappedComponents)));
return PK_BOMB;
diff --git a/man/unzip.1 b/man/unzip.1
index 21816d1..a637a14 100644
--- a/man/unzip.1
+++ b/man/unzip.1
@@ -25,7 +25,7 @@
unzip \- list, test and extract compressed files in a ZIP archive
.PD
.SH SYNOPSIS
-\fBunzip\fP [\fB\-Z\fP] [\fB\-cflptTuvz\fP[\fBabjnoqsCDKLMUVWX$/:^\fP]]
+\fBunzip\fP [\fB\-Z\fP] [\fB\-cflptTuvz\fP[\fBabjnoqsCDKLMUVWX$/:^\fP][\fB\-g num\fP]]
\fIfile\fP[\fI.zip\fP] [\fIfile(s)\fP\ .\|.\|.]
[\fB\-x\fP\ \fIxfile(s)\fP\ .\|.\|.] [\fB\-d\fP\ \fIexdir\fP]
.PD
@@ -195,6 +195,10 @@ but will be in future releases.
.TP
.B \-z
display only the archive comment.
+.IP \fB\-g\fP\ \fInum\fP
+limit the number of overlap files. When the number of
+overlap files exceeds the num we set, it is a bomb. the num
+is a decimal number.
.PD
.\" =========================================================================
.SH MODIFIERS
diff --git a/unzip.c b/unzip.c
index 5b7d288..8c4c37e 100644
--- a/unzip.c
+++ b/unzip.c
@@ -601,7 +601,7 @@ Latest sources and executables are at ftp://ftp.info-zip.org/pub/infozip/ ;\
\n file[.zip] may be a wildcard. %s\n";
#else /* !VM_CMS */
static ZCONST char Far UnzipUsageLine2[] = "\
-Usage: unzip %s[-opts[modifiers]] file[.zip] [list] [-x xlist] [-d exdir]\n \
+Usage: unzip %s[-opts[modifiers][-g num]] file[.zip] [list] [-x xlist] [-d exdir]\n \
Default action is to extract files in list, except those in xlist, to exdir;\n\
file[.zip] may be a wildcard. %s\n";
#endif /* ?VM_CMS */
@@ -647,7 +648,8 @@ static ZCONST char Far UnzipUsageLine3[] = "\n\
-f freshen existing files, create none -t test compressed archive data\n\
-u update files, create if necessary -z display archive comment only\n\
-v list verbosely/show version info %s\n\
- -x exclude files that follow (in xlist) -d extract files into exdir\n";
+ -x exclude files that follow (in xlist) -d extract files into exdir\n\
+ -g limit the number of overlap files\n";
#endif /* ?VM_CMS */
#endif /* ?MACOS */
@@ -1367,7 +1414,7 @@ int uz_opts(__G__ pargc, pargv)
extern char OEM_CP[MAX_CP_NAME];
extern char ISO_CP[MAX_CP_NAME];
#endif
-
+ uO.max_overlaps = (unsigned long)(-1); /* if not set, uncheck overlaps */
while (++argv, (--argc > 0 && *argv != NULL && **argv == '-')) {
s = *argv + 1;
while ((c = *s++) != 0) { /* "!= 0": prevent Turbo C warning */
@@ -1528,6 +1575,26 @@ int uz_opts(__G__ pargc, pargv)
uO.acorn_nfs_ext = TRUE;
break;
#endif /* RISCOS || ACORN_FTYPE_NFS */
+#ifdef UNIX
+ case('g'): /* set overlap entries */
+ if (negative) { // invalid param, eg: --g
+ Info(slide, 0x401, ((char *)slide,
+ "error: invalid param, eg: unzip --g"));
+ return(PK_PARAM);
+ } else {
+ if (argc > 1) {
+ char *leftover;
+ --argc;
+ ++argv;
+ uO.max_overlaps = strtoul(*argv, &leftover, 10);
+ } else { /* else pwdarg points at decryption password */
+ Info(slide, 0x401, ((char *)slide,
+ "error: invalid param, -g need add decimal number"));
+ return(PK_PARAM);
+ }
+ }
+ break;
+#endif
case ('h'): /* just print help message and quit */
if (showhelp == 0) {
#ifndef SFX
@@ -2235,6 +2302,7 @@ static void help_extended(__G)
" information. Also can be added to other list commands for more",
" verbose output.",
" -z Display only archive comment.",
+ " -g Limit the number of overlap files.",
"",
"unzip modifiers:",
" -a Convert text files to local OS format. Convert line ends, EOF",
diff --git a/unzip.h b/unzip.h
index ed24a5b..a7e8a64 100644
--- a/unzip.h
+++ b/unzip.h
@@ -560,6 +560,7 @@ typedef struct _UzpOpts {
int cflxflag; /* -^: allow control chars in extracted filenames */
#endif
#endif /* !FUNZIP */
+ unsigned long max_overlaps; /* Maximum number of overlaps allowed */
} UzpOpts;
/* intended to be a private struct: */
diff --git a/unzip.txt b/unzip.txt
index e8e9719..6594ee6 100644
--- a/unzip.txt
+++ b/unzip.txt
@@ -4,7 +4,7 @@ NAME
unzip - list, test and extract compressed files in a ZIP archive
SYNOPSIS
- unzip [-Z] [-cflptTuvz[abjnoqsCDKLMUVWX$/:^]] file[.zip] [file(s) ...]
+ unzip [-Z] [-cflptTuvz[abjnoqsCDKLMUVWX$/:^][-g num]] file[.zip] [file(s) ...]
[-x xfile(s) ...] [-d exdir]
DESCRIPTION
@@ -177,6 +177,10 @@ OPTIONS
implemented but will be in future releases.
-z display only the archive comment.
+ -g num
+ limit the number of overlap files. When the number of overlap f-
+ iles exceeds the num we set, it is a bomb. the num is a decimal
+ number.
MODIFIERS
-a convert text files. Ordinarily all files are extracted exactly
--
1.8.3.1

25
CVE-2019-13232-pre.patch
View File

@ -0,0 +1,25 @@
From 41beb477c5744bc396fa1162ee0c14218ec12213 Mon Sep 17 00:00:00 2001
From: Mark Adler <madler@alumni.caltech.edu>
Date: Mon, 27 May 2019 08:20:32 -0700
Subject: [PATCH] Fix bug in undefer_input() that misplaced the input state.
---
fileio.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fileio.c b/fileio.c
index c042987..bc00d74 100644
--- a/fileio.c
+++ b/fileio.c
@@ -530,8 +530,10 @@ void undefer_input(__G)
* This condition was checked when G.incnt_leftover was set > 0 in
* defer_leftover_input(), and it is NOT allowed to touch G.csize
* before calling undefer_input() when (G.incnt_leftover > 0)
- * (single exception: see read_byte()'s "G.csize <= 0" handling) !!
+ * (single exception: see readbyte()'s "G.csize <= 0" handling) !!
*/
+ if (G.csize < 0L)
+ G.csize = 0L;
G.incnt = G.incnt_leftover + (int)G.csize;
G.inptr = G.inptr_leftover - (int)G.csize;
G.incnt_leftover = 0;

349
CVE-2019-13232.patch
View File

@ -0,0 +1,349 @@
From 47b3ceae397d21bf822bc2ac73052a4b1daf8e1c Mon Sep 17 00:00:00 2001
From: Mark Adler <madler@alumni.caltech.edu>
Date: Tue, 11 Jun 2019 22:01:18 -0700
Subject: [PATCH] Detect and reject a zip bomb using overlapped entries.
This detects an invalid zip file that has at least one entry that
overlaps with another entry or with the central directory to the
end of the file. A Fifield zip bomb uses overlapped local entries
to vastly increase the potential inflation ratio. Such an invalid
zip file is rejected.
See https://www.bamsoftware.com/hacks/zipbomb/ for David Fifield's
analysis, construction, and examples of such zip bombs.
The detection maintains a list of covered spans of the zip files
so far, where the central directory to the end of the file and any
bytes preceding the first entry at zip file offset zero are
considered covered initially. Then as each entry is decompressed
or tested, it is considered covered. When a new entry is about to
be processed, its initial offset is checked to see if it is
contained by a covered span. If so, the zip file is rejected as
invalid.
This commit depends on a preceding commit: "Fix bug in
undefer_input() that misplaced the input state."
---
extract.c | 190 +++++++++++++++++++++++++++++++++++++++++++++++++++++-
globals.c | 1 +
globals.h | 3 +
process.c | 11 ++++
unzip.h | 1 +
5 files changed, 205 insertions(+), 1 deletion(-)
diff --git a/extract.c b/extract.c
index 1acd769..0973a33 100644
--- a/extract.c
+++ b/extract.c
@@ -319,6 +319,125 @@ static ZCONST char Far UnsupportedExtraField[] =
"\nerror: unsupported extra-field compression type (%u)--skipping\n";
static ZCONST char Far BadExtraFieldCRC[] =
"error [%s]: bad extra-field CRC %08lx (should be %08lx)\n";
+static ZCONST char Far NotEnoughMemCover[] =
+ "error: not enough memory for bomb detection\n";
+static ZCONST char Far OverlappedComponents[] =
+ "error: invalid zip file with overlapped components (possible zip bomb)\n";
+
+
+
+
+
+/* A growable list of spans. */
+typedef zoff_t bound_t;
+typedef struct {
+ bound_t beg; /* start of the span */
+ bound_t end; /* one past the end of the span */
+} span_t;
+typedef struct {
+ span_t *span; /* allocated, distinct, and sorted list of spans */
+ size_t num; /* number of spans in the list */
+ size_t max; /* allocated number of spans (num <= max) */
+} cover_t;
+
+/*
+ * Return the index of the first span in cover whose beg is greater than val.
+ * If there is no such span, then cover->num is returned.
+ */
+static size_t cover_find(cover, val)
+ cover_t *cover;
+ bound_t val;
+{
+ size_t lo = 0, hi = cover->num;
+ while (lo < hi) {
+ size_t mid = (lo + hi) >> 1;
+ if (val < cover->span[mid].beg)
+ hi = mid;
+ else
+ lo = mid + 1;
+ }
+ return hi;
+}
+
+/* Return true if val lies within any one of the spans in cover. */
+static int cover_within(cover, val)
+ cover_t *cover;
+ bound_t val;
+{
+ size_t pos = cover_find(cover, val);
+ return pos > 0 && val < cover->span[pos - 1].end;
+}
+
+/*
+ * Add a new span to the list, but only if the new span does not overlap any
+ * spans already in the list. The new span covers the values beg..end-1. beg
+ * must be less than end.
+ *
+ * Keep the list sorted and merge adjacent spans. Grow the allocated space for
+ * the list as needed. On success, 0 is returned. If the new span overlaps any
+ * existing spans, then 1 is returned and the new span is not added to the
+ * list. If the new span is invalid because beg is greater than or equal to
+ * end, then -1 is returned. If the list needs to be grown but the memory
+ * allocation fails, then -2 is returned.
+ */
+static int cover_add(cover, beg, end)
+ cover_t *cover;
+ bound_t beg;
+ bound_t end;
+{
+ size_t pos;
+ int prec, foll;
+
+ if (beg >= end)
+ /* The new span is invalid. */
+ return -1;
+
+ /* Find where the new span should go, and make sure that it does not
+ overlap with any existing spans. */
+ pos = cover_find(cover, beg);
+ if ((pos > 0 && beg < cover->span[pos - 1].end) ||
+ (pos < cover->num && end > cover->span[pos].beg))
+ return 1;
+
+ /* Check for adjacencies. */
+ prec = pos > 0 && beg == cover->span[pos - 1].end;
+ foll = pos < cover->num && end == cover->span[pos].beg;
+ if (prec && foll) {
+ /* The new span connects the preceding and following spans. Merge the
+ following span into the preceding span, and delete the following
+ span. */
+ cover->span[pos - 1].end = cover->span[pos].end;
+ cover->num--;
+ memmove(cover->span + pos, cover->span + pos + 1,
+ (cover->num - pos) * sizeof(span_t));
+ }
+ else if (prec)
+ /* The new span is adjacent only to the preceding span. Extend the end
+ of the preceding span. */
+ cover->span[pos - 1].end = end;
+ else if (foll)
+ /* The new span is adjacent only to the following span. Extend the
+ beginning of the following span. */
+ cover->span[pos].beg = beg;
+ else {
+ /* The new span has gaps between both the preceding and the following
+ spans. Assure that there is room and insert the span. */
+ if (cover->num == cover->max) {
+ size_t max = cover->max == 0 ? 16 : cover->max << 1;
+ span_t *span = realloc(cover->span, max * sizeof(span_t));
+ if (span == NULL)
+ return -2;
+ cover->span = span;
+ cover->max = max;
+ }
+ memmove(cover->span + pos + 1, cover->span + pos,
+ (cover->num - pos) * sizeof(span_t));
+ cover->num++;
+ cover->span[pos].beg = beg;
+ cover->span[pos].end = end;
+ }
+ return 0;
+}
@@ -374,6 +493,29 @@ int extract_or_test_files(__G) /* return PK-type error code */
}
#endif /* !SFX || SFX_EXDIR */
+ /* One more: initialize cover structure for bomb detection. Start with a
+ span that covers the central directory though the end of the file. */
+ if (G.cover == NULL) {
+ G.cover = malloc(sizeof(cover_t));
+ if (G.cover == NULL) {
+ Info(slide, 0x401, ((char *)slide,
+ LoadFarString(NotEnoughMemCover)));
+ return PK_MEM;
+ }
+ ((cover_t *)G.cover)->span = NULL;
+ ((cover_t *)G.cover)->max = 0;
+ }
+ ((cover_t *)G.cover)->num = 0;
+ if ((G.extra_bytes != 0 &&
+ cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) ||
+ cover_add((cover_t *)G.cover,
+ G.extra_bytes + G.ecrec.offset_start_central_directory,
+ G.ziplen) != 0) {
+ Info(slide, 0x401, ((char *)slide,
+ LoadFarString(NotEnoughMemCover)));
+ return PK_MEM;
+ }
+
/*---------------------------------------------------------------------------
The basic idea of this function is as follows. Since the central di-
rectory lies at the end of the zipfile and the member files lie at the
@@ -591,7 +733,8 @@ int extract_or_test_files(__G) /* return PK-type error code */
if (error > error_in_archive)
error_in_archive = error;
/* ...and keep going (unless disk full or user break) */
- if (G.disk_full > 1 || error_in_archive == IZ_CTRLC) {
+ if (G.disk_full > 1 || error_in_archive == IZ_CTRLC ||
+ error == PK_BOMB) {
/* clear reached_end to signal premature stop ... */
reached_end = FALSE;
/* ... and cancel scanning the central directory */
@@ -1060,6 +1203,11 @@ static int extract_or_test_entrylist(__G__ numchunk,
/* seek_zipf(__G__ pInfo->offset); */
request = G.pInfo->offset + G.extra_bytes;
+ if (cover_within((cover_t *)G.cover, request)) {
+ Info(slide, 0x401, ((char *)slide,
+ LoadFarString(OverlappedComponents)));
+ return PK_BOMB;
+ }
inbuf_offset = request % INBUFSIZ;
bufstart = request - inbuf_offset;
@@ -1591,6 +1739,18 @@ static int extract_or_test_entrylist(__G__ numchunk,
return IZ_CTRLC; /* cancel operation by user request */
}
#endif
+ error = cover_add((cover_t *)G.cover, request,
+ G.cur_zipfile_bufstart + (G.inptr - G.inbuf));
+ if (error < 0) {
+ Info(slide, 0x401, ((char *)slide,
+ LoadFarString(NotEnoughMemCover)));
+ return PK_MEM;
+ }
+ if (error != 0) {
+ Info(slide, 0x401, ((char *)slide,
+ LoadFarString(OverlappedComponents)));
+ return PK_BOMB;
+ }
#ifdef MACOS /* MacOS is no preemptive OS, thus call event-handling by hand */
UserStop();
#endif
@@ -1992,6 +2152,34 @@ static int extract_or_test_member(__G) /* return PK-type error code */
}
undefer_input(__G);
+
+ if ((G.lrec.general_purpose_bit_flag & 8) != 0) {
+ /* skip over data descriptor (harder than it sounds, due to signature
+ * ambiguity)
+ */
+# define SIG 0x08074b50
+# define LOW 0xffffffff
+ uch buf[12];
+ unsigned shy = 12 - readbuf((char *)buf, 12);
+ ulg crc = shy ? 0 : makelong(buf);
+ ulg clen = shy ? 0 : makelong(buf + 4);
+ ulg ulen = shy ? 0 : makelong(buf + 8); /* or high clen if ZIP64 */
+ if (crc == SIG && /* if not SIG, no signature */
+ (G.lrec.crc32 != SIG || /* if not SIG, have signature */
+ (clen == SIG && /* if not SIG, no signature */
+ ((G.lrec.csize & LOW) != SIG || /* if not SIG, have signature */
+ (ulen == SIG && /* if not SIG, no signature */
+ (G.zip64 ? G.lrec.csize >> 32 : G.lrec.ucsize) != SIG
+ /* if not SIG, have signature */
+ )))))
+ /* skip four more bytes to account for signature */
+ shy += 4 - readbuf((char *)buf, 4);
+ if (G.zip64)
+ shy += 8 - readbuf((char *)buf, 8); /* skip eight more for ZIP64 */
+ if (shy)
+ error = PK_ERR;
+ }
+
return error;
} /* end function extract_or_test_member() */
diff --git a/globals.c b/globals.c
index fa8cca5..1e0f608 100644
--- a/globals.c
+++ b/globals.c
@@ -181,6 +181,7 @@ Uz_Globs *globalsCtor()
# if (!defined(NO_TIMESTAMPS))
uO.D_flag=1; /* default to '-D', no restoration of dir timestamps */
# endif
+ G.cover = NULL; /* not allocated yet */
#endif
uO.lflag=(-1);
diff --git a/globals.h b/globals.h
index 11b7215..2bdcdeb 100644
--- a/globals.h
+++ b/globals.h
@@ -260,12 +260,15 @@ typedef struct Globals {
ecdir_rec ecrec; /* used in unzip.c, extract.c */
z_stat statbuf; /* used by main, mapname, check_for_newer */
+ int zip64; /* true if Zip64 info in extra field */
+
int mem_mode;
uch *outbufptr; /* extract.c static */
ulg outsize; /* extract.c static */
int reported_backslash; /* extract.c static */
int disk_full;
int newfile;
+ void **cover; /* used in extract.c for bomb detection */
int didCRlast; /* fileio static */
ulg numlines; /* fileio static: number of lines printed */
diff --git a/process.c b/process.c
index 1e9a1e1..d2e4dc3 100644
--- a/process.c
+++ b/process.c
@@ -637,6 +637,13 @@ void free_G_buffers(__G) /* releases all memory allocated in global vars */
}
#endif
+ /* Free the cover span list and the cover structure. */
+ if (G.cover != NULL) {
+ free(*(G.cover));
+ free(G.cover);
+ G.cover = NULL;
+ }
+
} /* end function free_G_buffers() */
@@ -1890,6 +1897,8 @@ int getZip64Data(__G__ ef_buf, ef_len)
#define Z64FLGS 0xffff
#define Z64FLGL 0xffffffff
+ G.zip64 = FALSE;
+
if (ef_len == 0 || ef_buf == NULL)
return PK_COOL;
@@ -1927,6 +1936,8 @@ int getZip64Data(__G__ ef_buf, ef_len)
G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf);
offset += 4;
}
+
+ G.zip64 = TRUE;
#if 0
break; /* Expect only one EF_PKSZ64 block. */
#endif /* 0 */
diff --git a/unzip.h b/unzip.h
index 5b2a326..ed24a5b 100644
--- a/unzip.h
+++ b/unzip.h
@@ -645,6 +645,7 @@ typedef struct _Uzp_cdir_Rec {
#define PK_NOZIP 9 /* zipfile not found */
#define PK_PARAM 10 /* bad or illegal parameters specified */
#define PK_FIND 11 /* no files found */
+#define PK_BOMB 12 /* likely zip bomb */
#define PK_DISK 50 /* disk full */
#define PK_EOF 51 /* unexpected EOF */