packages/unzip
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix 2019-13232

Browse Source
This commit is contained in:
wsp1991 2020-03-03 09:49:06 +08:00 committed by Gitee
parent 675c835d46
commit b2c29345c8
4 changed files with 41 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
CVE-2019-13232-fur1.patch
View File

@ -24,7 +24,7 @@ index 0973a33..1b73cb0 100644
@@ -493,8 +493,11 @@ int extract_or_test_files(__G) /* return PK-type error code */ @@ -493,8 +493,11 @@ int extract_or_test_files(__G) /* return PK-type error code */
} }
#endif /* !SFX || SFX_EXDIR */ #endif /* !SFX || SFX_EXDIR */
- /* One more: initialize cover structure for bomb detection. Start with a - /* One more: initialize cover structure for bomb detection. Start with a
- span that covers the central directory though the end of the file. */ - span that covers the central directory though the end of the file. */
+ /* One more: initialize cover structure for bomb detection. Start with + /* One more: initialize cover structure for bomb detection. Start with
@ -62,7 +62,7 @@ index 0973a33..1b73cb0 100644
+ LoadFarString(OverlappedComponents))); + LoadFarString(OverlappedComponents)));
+ return PK_BOMB; + return PK_BOMB;
+ } + }
/*--------------------------------------------------------------------------- /*---------------------------------------------------------------------------
The basic idea of this function is as follows. Since the central di- The basic idea of this function is as follows. Since the central di-
diff --git a/process.c b/process.c diff --git a/process.c b/process.c
@ -70,14 +70,14 @@ index d2e4dc3..d75d405 100644
--- a/process.c --- a/process.c
+++ b/process.c +++ b/process.c
@@ -1408,6 +1408,10 @@ static int find_ecrec64(__G__ searchlen) /* return PK-class error */ @@ -1408,6 +1408,10 @@ static int find_ecrec64(__G__ searchlen) /* return PK-class error */
/* Now, we are (almost) sure that we have a Zip64 archive. */ /* Now, we are (almost) sure that we have a Zip64 archive. */
G.ecrec.have_ecr64 = 1; G.ecrec.have_ecr64 = 1;
+ G.ecrec.ec_start -= ECLOC64_SIZE+4; + G.ecrec.ec_start -= ECLOC64_SIZE+4;
+ G.ecrec.ec64_start = ecrec64_start_offset; + G.ecrec.ec64_start = ecrec64_start_offset;
+ G.ecrec.ec64_end = ecrec64_start_offset + + G.ecrec.ec64_end = ecrec64_start_offset +
+ 12 + makeint64(&byterec[ECREC64_LENGTH]); + 12 + makeint64(&byterec[ECREC64_LENGTH]);
/* Update the "end-of-central-dir offset" for later checks. */ /* Update the "end-of-central-dir offset" for later checks. */
G.real_ecrec_offset = ecrec64_start_offset; G.real_ecrec_offset = ecrec64_start_offset;
@@ -1542,6 +1546,8 @@ static int find_ecrec(__G__ searchlen) /* return PK-class error */ @@ -1542,6 +1546,8 @@ static int find_ecrec(__G__ searchlen) /* return PK-class error */
@ -86,7 +86,7 @@ index d2e4dc3..d75d405 100644
makeword(&byterec[ZIPFILE_COMMENT_LENGTH]); makeword(&byterec[ZIPFILE_COMMENT_LENGTH]);
+ G.ecrec.ec_start = G.real_ecrec_offset; + G.ecrec.ec_start = G.real_ecrec_offset;
+ G.ecrec.ec_end = G.ecrec.ec_start + 22 + G.ecrec.zipfile_comment_length; + G.ecrec.ec_end = G.ecrec.ec_start + 22 + G.ecrec.zipfile_comment_length;
/* Now, we have to read the archive comment, BEFORE the file pointer /* Now, we have to read the archive comment, BEFORE the file pointer
is moved away backwards to seek for a Zip64 ECLOC64 structure. is moved away backwards to seek for a Zip64 ECLOC64 structure.
diff --git a/unzpriv.h b/unzpriv.h diff --git a/unzpriv.h b/unzpriv.h
@ -108,4 +108,5 @@ index dc9eff5..297b3c7 100644
+ end of the Zip64 end of central + end of the Zip64 end of central
+ directory record */ + directory record */
} ecdir_rec; } ecdir_rec;

29
CVE-2019-13232-fur2.patch
View File

@ -22,7 +22,7 @@ index 3a01d13..031efdb 100644
size_t max; /* allocated number of spans (num <= max) */ size_t max; /* allocated number of spans (num <= max) */
+ unsigned long count; + unsigned long count;
} cover_t; } cover_t;
/* /*
* Return the index of the first span in cover whose beg is greater than val. * Return the index of the first span in cover whose beg is greater than val.
* If there is no such span, then cover->num is returned. * If there is no such span, then cover->num is returned.
@ -62,7 +62,7 @@ index 3a01d13..031efdb 100644
+ size_t pos = cover_find(cover, val, 0); + size_t pos = cover_find(cover, val, 0);
return pos > 0 && val < cover->span[pos - 1].end; return pos > 0 && val < cover->span[pos - 1].end;
} }
+static int is_exceed_max_overlaps(cover, val) +static int is_exceed_max_overlaps(cover, val)
+ cover_t *cover; + cover_t *cover;
+{ +{
@ -80,10 +80,10 @@ index 3a01d13..031efdb 100644
+ size_t pos_beg; + size_t pos_beg;
+ size_t pos_end; + size_t pos_end;
int prec, foll; int prec, foll;
if (beg >= end) if (beg >= end)
@@ -396,31 +412,76 @@ static int cover_add(cover, beg, end) @@ -396,31 +412,76 @@ static int cover_add(cover, beg, end)
/* Find where the new span should go, and make sure that it does not /* Find where the new span should go, and make sure that it does not
overlap with any existing spans. */ overlap with any existing spans. */
- pos = cover_find(cover, beg); - pos = cover_find(cover, beg);
@ -92,7 +92,7 @@ index 3a01d13..031efdb 100644
- return 1; - return 1;
+ pos_beg = cover_find(cover, beg, 0); + pos_beg = cover_find(cover, beg, 0);
+ pos_end = cover_find(cover, end, 1); + pos_end = cover_find(cover, end, 1);
/* Check for adjacencies. */ /* Check for adjacencies. */
- prec = pos > 0 && beg == cover->span[pos - 1].end; - prec = pos > 0 && beg == cover->span[pos - 1].end;
- foll = pos < cover->num && end == cover->span[pos].beg; - foll = pos < cover->num && end == cover->span[pos].beg;
@ -198,7 +198,7 @@ index 3a01d13..031efdb 100644
G.extra_bytes + G.ecrec.offset_start_central_directory, G.extra_bytes + G.ecrec.offset_start_central_directory,
G.extra_bytes + G.ecrec.offset_start_central_directory + G.extra_bytes + G.ecrec.offset_start_central_directory +
@@ -1218,7 +1280,7 @@ static int extract_or_test_entrylist(__G__ numchunk, @@ -1218,7 +1280,7 @@ static int extract_or_test_entrylist(__G__ numchunk,
/* seek_zipf(__G__ pInfo->offset); */ /* seek_zipf(__G__ pInfo->offset); */
request = G.pInfo->offset + G.extra_bytes; request = G.pInfo->offset + G.extra_bytes;
- if (cover_within((cover_t *)G.cover, request)) { - if (cover_within((cover_t *)G.cover, request)) {
@ -252,12 +252,12 @@ index 5b7d288..8c4c37e 100644
+ -g limit the number of overlap files\n"; + -g limit the number of overlap files\n";
#endif /* ?VM_CMS */ #endif /* ?VM_CMS */
#endif /* ?MACOS */ #endif /* ?MACOS */
@@ -1367,7 +1414,7 @@ int uz_opts(__G__ pargc, pargv) @@ -1367,7 +1414,7 @@ int uz_opts(__G__ pargc, pargv)
extern char OEM_CP[MAX_CP_NAME]; extern char OEM_CP[MAX_CP_NAME];
extern char ISO_CP[MAX_CP_NAME]; extern char ISO_CP[MAX_CP_NAME];
#endif #endif
- -
+ uO.max_overlaps = (unsigned long)(-1); /* if not set, uncheck overlaps */ + uO.max_overlaps = (unsigned long)(-1); /* if not set, uncheck overlaps */
while (++argv, (--argc > 0 && *argv != NULL && **argv == '-')) { while (++argv, (--argc > 0 && *argv != NULL && **argv == '-')) {
s = *argv + 1; s = *argv + 1;
@ -307,7 +307,7 @@ index ed24a5b..a7e8a64 100644
#endif /* !FUNZIP */ #endif /* !FUNZIP */
+ unsigned long max_overlaps; /* Maximum number of overlaps allowed */ + unsigned long max_overlaps; /* Maximum number of overlaps allowed */
} UzpOpts; } UzpOpts;
/* intended to be a private struct: */ /* intended to be a private struct: */
diff --git a/unzip.txt b/unzip.txt diff --git a/unzip.txt b/unzip.txt
index e8e9719..6594ee6 100644 index e8e9719..6594ee6 100644
@ -315,23 +315,24 @@ index e8e9719..6594ee6 100644
+++ b/unzip.txt +++ b/unzip.txt
@@ -4,7 +4,7 @@ NAME @@ -4,7 +4,7 @@ NAME
unzip - list, test and extract compressed files in a ZIP archive unzip - list, test and extract compressed files in a ZIP archive
SYNOPSIS SYNOPSIS
- unzip [-Z] [-cflptTuvz[abjnoqsCDKLMUVWX$/:^]] file[.zip] [file(s) ...] - unzip [-Z] [-cflptTuvz[abjnoqsCDKLMUVWX$/:^]] file[.zip] [file(s) ...]
+ unzip [-Z] [-cflptTuvz[abjnoqsCDKLMUVWX$/:^][-g num]] file[.zip] [file(s) ...] + unzip [-Z] [-cflptTuvz[abjnoqsCDKLMUVWX$/:^][-g num]] file[.zip] [file(s) ...]
[-x xfile(s) ...] [-d exdir] [-x xfile(s) ...] [-d exdir]
DESCRIPTION DESCRIPTION
@@ -177,6 +177,10 @@ OPTIONS @@ -177,6 +177,10 @@ OPTIONS
implemented but will be in future releases. implemented but will be in future releases.
-z display only the archive comment. -z display only the archive comment.
+ -g num + -g num
+ limit the number of overlap files. When the number of overlap f- + limit the number of overlap files. When the number of overlap f-
+ iles exceeds the num we set, it is a bomb. the num is a decimal + iles exceeds the num we set, it is a bomb. the num is a decimal
+ number. + number.
MODIFIERS MODIFIERS
-a convert text files. Ordinarily all files are extracted exactly -a convert text files. Ordinarily all files are extracted exactly
-- --
1.8.3.1 1.8.3.1

4
CVE-2019-13232-pre.patch
View File

@ -1,5 +1,7 @@
From 41beb477c5744bc396fa1162ee0c14218ec12213 Mon Sep 17 00:00:00 2001 From 41beb477c5744bc396fa1162ee0c14218ec12213 Mon Sep 17 00:00:00 2001
From: Mark Adler <madler@alumni.caltech.edu> From: Mark Adler <madler@alumni.caltech.edu>
From 41beb477c5744bc396fa1162ee0c14218ec12213 Mon Sep 17 00:00:00 2001
From: Mark Adler <madler@alumni.caltech.edu>
Date: Mon, 27 May 2019 08:20:32 -0700 Date: Mon, 27 May 2019 08:20:32 -0700
Subject: [PATCH] Fix bug in undefer_input() that misplaced the input state. Subject: [PATCH] Fix bug in undefer_input() that misplaced the input state.
@ -22,4 +24,4 @@ index c042987..bc00d74 100644
+ G.csize = 0L; + G.csize = 0L;
G.incnt = G.incnt_leftover + (int)G.csize; G.incnt = G.incnt_leftover + (int)G.csize;
G.inptr = G.inptr_leftover - (int)G.csize; G.inptr = G.inptr_leftover - (int)G.csize;
G.incnt_leftover = 0; G.incnt_leftover = 0;

32
CVE-2019-13232.patch
View File

@ -158,9 +158,9 @@ index 1acd769..0973a33 100644
+ } + }
+ return 0; + return 0;
+} +}
@@ -374,6 +493,29 @@ int extract_or_test_files(__G) /* return PK-type error code */ @@ -374,6 +493,29 @@ int extract_or_test_files(__G) /* return PK-type error code */
} }
#endif /* !SFX || SFX_EXDIR */ #endif /* !SFX || SFX_EXDIR */
@ -202,7 +202,7 @@ index 1acd769..0973a33 100644
reached_end = FALSE; reached_end = FALSE;
/* ... and cancel scanning the central directory */ /* ... and cancel scanning the central directory */
@@ -1060,6 +1203,11 @@ static int extract_or_test_entrylist(__G__ numchunk, @@ -1060,6 +1203,11 @@ static int extract_or_test_entrylist(__G__ numchunk,
/* seek_zipf(__G__ pInfo->offset); */ /* seek_zipf(__G__ pInfo->offset); */
request = G.pInfo->offset + G.extra_bytes; request = G.pInfo->offset + G.extra_bytes;
+ if (cover_within((cover_t *)G.cover, request)) { + if (cover_within((cover_t *)G.cover, request)) {
@ -212,7 +212,7 @@ index 1acd769..0973a33 100644
+ } + }
inbuf_offset = request % INBUFSIZ; inbuf_offset = request % INBUFSIZ;
bufstart = request - inbuf_offset; bufstart = request - inbuf_offset;
@@ -1591,6 +1739,18 @@ static int extract_or_test_entrylist(__G__ numchunk, @@ -1591,6 +1739,18 @@ static int extract_or_test_entrylist(__G__ numchunk,
return IZ_CTRLC; /* cancel operation by user request */ return IZ_CTRLC; /* cancel operation by user request */
} }
@ -234,7 +234,7 @@ index 1acd769..0973a33 100644
#endif #endif
@@ -1992,6 +2152,34 @@ static int extract_or_test_member(__G) /* return PK-type error code */ @@ -1992,6 +2152,34 @@ static int extract_or_test_member(__G) /* return PK-type error code */
} }
undefer_input(__G); undefer_input(__G);
+ +
+ if ((G.lrec.general_purpose_bit_flag & 8) != 0) { + if ((G.lrec.general_purpose_bit_flag & 8) != 0) {
@ -265,7 +265,7 @@ index 1acd769..0973a33 100644
+ } + }
+ +
return error; return error;
} /* end function extract_or_test_member() */ } /* end function extract_or_test_member() */
diff --git a/globals.c b/globals.c diff --git a/globals.c b/globals.c
index fa8cca5..1e0f608 100644 index fa8cca5..1e0f608 100644
@ -277,7 +277,7 @@ index fa8cca5..1e0f608 100644
# endif # endif
+ G.cover = NULL; /* not allocated yet */ + G.cover = NULL; /* not allocated yet */
#endif #endif
uO.lflag=(-1); uO.lflag=(-1);
diff --git a/globals.h b/globals.h diff --git a/globals.h b/globals.h
index 11b7215..2bdcdeb 100644 index 11b7215..2bdcdeb 100644
@ -286,7 +286,7 @@ index 11b7215..2bdcdeb 100644
@@ -260,12 +260,15 @@ typedef struct Globals { @@ -260,12 +260,15 @@ typedef struct Globals {
ecdir_rec ecrec; /* used in unzip.c, extract.c */ ecdir_rec ecrec; /* used in unzip.c, extract.c */
z_stat statbuf; /* used by main, mapname, check_for_newer */ z_stat statbuf; /* used by main, mapname, check_for_newer */
+ int zip64; /* true if Zip64 info in extra field */ + int zip64; /* true if Zip64 info in extra field */
+ +
int mem_mode; int mem_mode;
@ -296,7 +296,7 @@ index 11b7215..2bdcdeb 100644
int disk_full; int disk_full;
int newfile; int newfile;
+ void **cover; /* used in extract.c for bomb detection */ + void **cover; /* used in extract.c for bomb detection */
int didCRlast; /* fileio static */ int didCRlast; /* fileio static */
ulg numlines; /* fileio static: number of lines printed */ ulg numlines; /* fileio static: number of lines printed */
diff --git a/process.c b/process.c diff --git a/process.c b/process.c
@ -306,7 +306,7 @@ index 1e9a1e1..d2e4dc3 100644
@@ -637,6 +637,13 @@ void free_G_buffers(__G) /* releases all memory allocated in global vars */ @@ -637,6 +637,13 @@ void free_G_buffers(__G) /* releases all memory allocated in global vars */
} }
#endif #endif
+ /* Free the cover span list and the cover structure. */ + /* Free the cover span list and the cover structure. */
+ if (G.cover != NULL) { + if (G.cover != NULL) {
+ free(*(G.cover)); + free(*(G.cover));
@ -315,17 +315,17 @@ index 1e9a1e1..d2e4dc3 100644
+ } + }
+ +
} /* end function free_G_buffers() */ } /* end function free_G_buffers() */
@@ -1890,6 +1897,8 @@ int getZip64Data(__G__ ef_buf, ef_len) @@ -1890,6 +1897,8 @@ int getZip64Data(__G__ ef_buf, ef_len)
#define Z64FLGS 0xffff #define Z64FLGS 0xffff
#define Z64FLGL 0xffffffff #define Z64FLGL 0xffffffff
+ G.zip64 = FALSE; + G.zip64 = FALSE;
+ +
if (ef_len == 0 || ef_buf == NULL) if (ef_len == 0 || ef_buf == NULL)
return PK_COOL; return PK_COOL;
@@ -1927,6 +1936,8 @@ int getZip64Data(__G__ ef_buf, ef_len) @@ -1927,6 +1936,8 @@ int getZip64Data(__G__ ef_buf, ef_len)
G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf); G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf);
offset += 4; offset += 4;
@ -346,4 +346,4 @@ index 5b2a326..ed24a5b 100644
+#define PK_BOMB 12 /* likely zip bomb */ +#define PK_BOMB 12 /* likely zip bomb */
#define PK_DISK 50 /* disk full */ #define PK_DISK 50 /* disk full */
#define PK_EOF 51 /* unexpected EOF */ #define PK_EOF 51 /* unexpected EOF */