- If an extension block is too small to hold an extension,

  do not use the information therein.
- If the End of central directory record (EOCD) contains an
  Offset of start of central directory which is beyond the end of
  the file, reject the file.
  [CVE-2018-6540]

diff --git a/zzip/memdisk.c b/zzip/memdisk.c
index a85dab047e15749f759438fc92b1dfae0b704cee..7e6f148190fc7523d37d9c4a8335f8c8c3de5149 100644 (file)
--- a/zzip/memdisk.c
+++ b/zzip/memdisk.c
@@ -306,7 +306,14 @@ zzip_mem_entry_find_extra_block(ZZIP_MEM_ENTRY * entry, short datatype, zzip_siz
         char* ext_end = ext + entry->zz_extlen[i];
         if (ext)
         {
-            while (ext + zzip_extra_block_headerlength <= ext_end)
+           /*
+            * Make sure that
+            * 1) the extra block header
+            * AND
+            * 2) the block we're looking for
+            * fit into the extra block!
+            */
+            while (ext + zzip_extra_block_headerlength + blocksize <= ext_end)
             {
                 if (datatype == zzip_extra_block_get_datatype(ext))
                 {

diff --git a/zzip/mmapped.c b/zzip/mmapped.c
index c1b8e391866cbda18857029c00cec184a0a06648..d66c4dad195cc67658723f63cc01cdba88ff44bc 100644 (file)
--- a/zzip/mmapped.c
+++ b/zzip/mmapped.c
@@ -458,6 +458,12 @@ zzip_disk_findfirst(ZZIP_DISK * disk)
             errno = EBADMSG;
             return 0;
         }
+       if (root >= disk->endbuf)
+       {
+           DBG1("root behind endbuf should be impossible");
+           errno = EBADMSG;
+           return 0;
+       }
         if (zzip_disk_entry_check_magic(root))
         {
             DBG1("found the disk root");