Amebis/wxWidgets
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix input buffer overflow in wxZip code

Browse Source 
Don't crash when reading malformed ZIP files with incorrect field
lengths for the extra fields.

Closes #17947.
This commit is contained in:
Vadim Zeitlin
2017-09-13 14:46:11 +02:00
parent d25d2400fc
commit e48676cf4a
1 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/common/zipstrm.cpp
View File

@@ -1033,7 +1033,8 @@ bool wxZipEntry::LoadExtraInfo(const char* extraData, wxUint16 extraLen, bool lo
// seeking for the field with Header ID = 1. // seeking for the field with Header ID = 1.
// (There is not stated in the documentation // (There is not stated in the documentation
// that it should be the first one in the collection.) // that it should be the first one in the collection.)
while ( extraLen >= 4 ) const char* const extraDataEnd = extraData + extraLen;
while ( extraData + 4 <= extraDataEnd )
{ {
// Parse extra header // Parse extra header
wxZipHeader hds(extraData, 4); wxZipHeader hds(extraData, 4);
@@ -1041,6 +1042,14 @@ bool wxZipEntry::LoadExtraInfo(const char* extraData, wxUint16 extraLen, bool lo
wxUint16 fieldLen = hds.Read16(); wxUint16 fieldLen = hds.Read16();
if ( fieldID == 1 ) if ( fieldID == 1 )
{ {
// Check that we don't overflow the input buffer.
if ( extraData + 4 + fieldLen > extraDataEnd )
{
wxLogWarning(_("Ignoring malformed extra data record, "
"ZIP file may be corrupted"));
return false;
}
// Data block for extra field with Header ID = 1 (ZIP64) // Data block for extra field with Header ID = 1 (ZIP64)
// can have length up to 28 bytes. // can have length up to 28 bytes.
wxZipHeader ds(extraData+4, wxMin(fieldLen, 28)); wxZipHeader ds(extraData+4, wxMin(fieldLen, 28));