From e48676cf4a885b3cb7422d53e2aac391685e38ae Mon Sep 17 00:00:00 2001 From: Vadim Zeitlin Date: Wed, 13 Sep 2017 14:46:11 +0200 Subject: [PATCH] Fix input buffer overflow in wxZip code Don't crash when reading malformed ZIP files with incorrect field lengths for the extra fields. Closes #17947. --- src/common/zipstrm.cpp | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/common/zipstrm.cpp b/src/common/zipstrm.cpp index ab6bef75d6..1399f3fbca 100644 --- a/src/common/zipstrm.cpp +++ b/src/common/zipstrm.cpp @@ -1033,7 +1033,8 @@ bool wxZipEntry::LoadExtraInfo(const char* extraData, wxUint16 extraLen, bool lo // seeking for the field with Header ID = 1. // (There is not stated in the documentation // that it should be the first one in the collection.) - while ( extraLen >= 4 ) + const char* const extraDataEnd = extraData + extraLen; + while ( extraData + 4 <= extraDataEnd ) { // Parse extra header wxZipHeader hds(extraData, 4); @@ -1041,6 +1042,14 @@ bool wxZipEntry::LoadExtraInfo(const char* extraData, wxUint16 extraLen, bool lo wxUint16 fieldLen = hds.Read16(); if ( fieldID == 1 ) { + // Check that we don't overflow the input buffer. + if ( extraData + 4 + fieldLen > extraDataEnd ) + { + wxLogWarning(_("Ignoring malformed extra data record, " + "ZIP file may be corrupted")); + return false; + } + // Data block for extra field with Header ID = 1 (ZIP64) // can have length up to 28 bytes. wxZipHeader ds(extraData+4, wxMin(fieldLen, 28));