Amebis/wxWidgets
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix signed integer overflow in ZIP reading code

Browse Source 
Subtracting a huge negative offset from the current position could
overflow it, which was correctly detected as undefined behaviour by
UBSAN.

Credit to OSS-Fuzz: this solves its issue 4388.
This commit is contained in:
Vadim Zeitlin
2017-10-28 15:02:12 +02:00
parent 9d97e4e7cc
commit 8415d12c61
1 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/common/zipstrm.cpp
View File

@@ -1719,8 +1719,11 @@ bool wxZipInputStream::LoadEndRecord()
ReadSignature() == magic) { ReadSignature() == magic) {
m_signature = magic; m_signature = magic;
m_position = endPos - recSize; m_position = endPos - recSize;
m_offsetAdjustment = m_position - endrec.GetOffset(); if ( endrec.GetOffset() >= 0 && endrec.GetOffset() < m_position )
return true; {
m_offsetAdjustment = m_position - endrec.GetOffset();
return true;
}
} }
wxLogError(_("can't find central directory in zip")); wxLogError(_("can't find central directory in zip"));