unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
blob ad6a157c568a94753990acb069f6f141458274be 2046 bytes (raw)
name: packages/patches/unzip-32bit-zipbomb-fix.patch 	 # note: path name is non-authoritative(*)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
 
From 13f0260beae851f7d5dd96e9ef757d8d6d7daac1 Mon Sep 17 00:00:00 2001
From: Mark Adler <madler@alumni.caltech.edu>
Date: Sun, 9 Feb 2020 07:20:13 -0800
Subject: [PATCH] Fix false overlapped components detection on 32-bit systems.

32-bit systems with ZIP64_SUPPORT enabled could have different
size types for zoff_t and zusz_t. That resulted in bad parameter
passing to the bound tracking functions, itself due to the lack of
use of C function prototypes in unzip. This commit assures that
parameters are cast properly for those calls.

This problem occurred only for ill-chosen make options, which give
a 32-bit zoff_t. A proper build will result in a zoff_t of 64 bits,
even on 32-bit systems.
---
 extract.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/extract.c b/extract.c
index 1b73cb0..d9866f9 100644
--- a/extract.c
+++ b/extract.c
@@ -329,7 +329,7 @@ static ZCONST char Far OverlappedComponents[] =
 
 
 /* A growable list of spans. */
-typedef zoff_t bound_t;
+typedef zusz_t bound_t;
 typedef struct {
     bound_t beg;        /* start of the span */
     bound_t end;        /* one past the end of the span */
@@ -518,7 +518,8 @@ int extract_or_test_files(__G)    /* return PK-type error code */
         return PK_MEM;
     }
     if ((G.extra_bytes != 0 &&
-         cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) ||
+         cover_add((cover_t *)G.cover,
+                   (bound_t)0, (bound_t)G.extra_bytes) != 0) ||
         (G.ecrec.have_ecr64 &&
          cover_add((cover_t *)G.cover, G.ecrec.ec64_start,
                    G.ecrec.ec64_end) != 0) ||
@@ -1216,7 +1217,7 @@ static int extract_or_test_entrylist(__G__ numchunk,
 
         /* seek_zipf(__G__ pInfo->offset);  */
         request = G.pInfo->offset + G.extra_bytes;
-        if (cover_within((cover_t *)G.cover, request)) {
+        if (cover_within((cover_t *)G.cover, (bound_t)request)) {
             Info(slide, 0x401, ((char *)slide,
               LoadFarString(OverlappedComponents)));
             return PK_BOMB;

debug log:

solving ad6a157c568a94753990acb069f6f141458274be ...
found ad6a157c568a94753990acb069f6f141458274be in https://git.savannah.gnu.org/cgit/guix.git

(*) Git path names are given by the tree(s) the blob belongs to.
    Blobs themselves have no identifier aside from the hash of its contents.^

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).