From 06ce6e3334565358f6ff044c3e681e4acc428902 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Josef=20M=C3=B6llers?= <josef.moellers@suse.com>
Date: Wed, 21 Mar 2018 09:15:09 +0100
Subject: [PATCH] __zzip_parse_root_directory: Check if rootsize is non-0 and
 rootseek lies within the archive. Fixes CVE-2018-7726.

---
 docs/zziplib.html |  6 ++++--
 zzip/zip.c        | 11 ++++++++---
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/docs/zziplib.html b/docs/zziplib.html
index 589ccc0..82c6d75 100644
--- a/docs/zziplib.html
+++ b/docs/zziplib.html
@@ -415,7 +415,8 @@ generated 2003-12-12
  <code>(<nobr>int fd</nobr>,
 <nobr>struct zzip_disk_trailer * trailer</nobr>,
 <nobr>struct zzip_dir_hdr ** hdr_return</nobr>,
-<nobr>zzip_plugin_io_t io</nobr>)</code>
+<nobr>zzip_plugin_io_t io</nobr>,
+<nobr>zzip_off_t filesize</nobr>)</code>
 
 </td></tr><tr valign="top">
 <td valign="top"><code>ZZIP_DIR*
@@ -1091,7 +1092,8 @@ generated 2003-12-12
  <code>(<nobr>int fd</nobr>,
 <nobr>struct zzip_disk_trailer * trailer</nobr>,
 <nobr>struct zzip_dir_hdr ** hdr_return</nobr>,
-<nobr>zzip_plugin_io_t io</nobr>)</code>
+<nobr>zzip_plugin_io_t io</nobr>,
+<nobr>zzip_off_t filesize</nobr>)</code>
 
 </code></code><dt>
 <dd><p> &nbsp;(../zzip/zip.c)
diff --git a/zzip/zip.c b/zzip/zip.c
index 14e2e06..dd0a2e7 100644
--- a/zzip/zip.c
+++ b/zzip/zip.c
@@ -82,7 +82,8 @@ int __zzip_fetch_disk_trailer(int fd, zzip_off_t filesize,
 int __zzip_parse_root_directory(int fd,
                                 struct _disk_trailer *trailer,
                                 struct zzip_dir_hdr **hdr_return,
-                                zzip_plugin_io_t io);
+                                zzip_plugin_io_t io,
+				zzip_off_t filesize);
 
 _zzip_inline static char *__zzip_aligned4(char *p);
 
@@ -406,7 +407,8 @@ int
 __zzip_parse_root_directory(int fd,
                             struct _disk_trailer *trailer,
                             struct zzip_dir_hdr **hdr_return,
-                            zzip_plugin_io_t io)
+                            zzip_plugin_io_t io,
+			    zzip_off_t filesize);
 {
     auto struct zzip_disk_entry dirent;
     struct zzip_dir_hdr *hdr;
@@ -421,6 +423,9 @@ __zzip_parse_root_directory(int fd,
     zzip_off64_t zz_rootseek = _disk_trailer_rootseek(trailer);
     __correct_rootseek(zz_rootseek, zz_rootsize, trailer);
 
+    if (zz_rootsize <= 0 || zz_rootseek < 0 || zz_rootseek >= filesize)
+    	return ZZIP_CORRUPTED;
+
     if (zz_entries < 0 || zz_rootseek < 0 || zz_rootsize < 0)
         return ZZIP_CORRUPTED;
 
@@ -755,7 +760,7 @@ __zzip_dir_parse(ZZIP_DIR * dir)
           (long) _disk_trailer_rootseek(&trailer));
 
     if ((rv = __zzip_parse_root_directory(dir->fd, &trailer, &dir->hdr0,
-                                          dir->io)) != 0)
+                                          dir->io, filesize)) != 0)
         { goto error; }
   error:
     return rv;
-- 
2.40.0