1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
From d8d3475850d883e90d79086293279149d42658fd Mon Sep 17 00:00:00 2001
From: Karol Babioch <kbabioch@suse.com>
Date: Sat, 15 Jun 2019 18:13:11 -0700
Subject: [PATCH] Fix buffer overflow in password protected zip archives
---
fileio.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/fileio.c b/fileio.c
index 36bfea3..7c21ed0 100644
--- a/fileio.c
+++ b/fileio.c
@@ -1582,6 +1582,10 @@ int UZ_EXP UzpPassword (pG, rcnt, pwbuf, size, zfn, efn)
int r = IZ_PW_ENTERED;
char *m;
char *prompt;
+ char *zfnf;
+ char *efnf;
+ size_t zfnfl;
+ int isOverflow;
#ifndef REENTRANT
/* tell picky compilers to shut up about "unused variable" warnings */
@@ -1590,7 +1594,15 @@ int UZ_EXP UzpPassword (pG, rcnt, pwbuf, size, zfn, efn)
if (*rcnt == 0) { /* First call for current entry */
*rcnt = 2;
- if ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL) {
+ zfnf = FnFilter1(zfn);
+ efnf = FnFilter2(efn);
+ zfnfl = strlen(zfnf);
+ isOverflow = TRUE;
+ if (2*FILNAMSIZ >= zfnfl && (2*FILNAMSIZ - zfnfl) >= strlen(efnf))
+ {
+ isOverflow = FALSE;
+ }
+ if ((isOverflow == FALSE) && ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL)) {
sprintf(prompt, LoadFarString(PasswPrompt),
FnFilter1(zfn), FnFilter2(efn));
m = prompt;
--
2.20.1
|
