From 15b8c969df962a444dfa07b3d5bd4b27dc0dbba7 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Josef=20M=C3=B6llers?= <josef@firefly.moellers.local>
Date: Tue, 6 Feb 2018 16:16:36 +0100
Subject: [PATCH] - If an extension block is too small to hold an extension,  
 do not use the information therein. - If the End of central directory record
 (EOCD) contains an   Offset of start of central directory which is beyond the
 end of   the file, reject the file.   [CVE-2018-6540]

---
 zzip/memdisk.c | 9 ++++++++-
 zzip/mmapped.c | 6 ++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/zzip/memdisk.c b/zzip/memdisk.c
index a85dab0..7e6f148 100644
--- a/zzip/memdisk.c
+++ b/zzip/memdisk.c
@@ -306,7 +306,14 @@ zzip_mem_entry_find_extra_block(ZZIP_MEM_ENTRY * entry, short datatype, zzip_siz
         char* ext_end = ext + entry->zz_extlen[i];
         if (ext)
         {
-            while (ext + zzip_extra_block_headerlength <= ext_end)
+	    /*
+	     * Make sure that
+	     * 1) the extra block header
+	     * AND
+	     * 2) the block we're looking for
+	     * fit into the extra block!
+	     */
+            while (ext + zzip_extra_block_headerlength + blocksize <= ext_end)
             {
                 if (datatype == zzip_extra_block_get_datatype(ext))
                 {
diff --git a/zzip/mmapped.c b/zzip/mmapped.c
index c1b8e39..d66c4da 100644
--- a/zzip/mmapped.c
+++ b/zzip/mmapped.c
@@ -458,6 +458,12 @@ zzip_disk_findfirst(ZZIP_DISK * disk)
             errno = EBADMSG;
             return 0;
         }
+	if (root >= disk->endbuf)
+	{
+	    DBG1("root behind endbuf should be impossible");
+	    errno = EBADMSG;
+	    return 0;
+	}
         if (zzip_disk_entry_check_magic(root))
         {
             DBG1("found the disk root");
-- 
2.40.0