2 Subject: Fix CVE-2014-8139: CRC32 verification heap-based overflow
3 Bug-Debian: http://bugs.debian.org/773722
9 - Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
10 + Copyright (c) 1990-2014 Info-ZIP. All rights reserved.
12 See the accompanying file LICENSE, version 2009-Jan-02 or later
13 (the contents of which are also included in unzip.h) for terms of use.
16 static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \
17 EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n";
18 + static ZCONST char Far TooSmallEFlength[] = "bad extra-field entry:\n \
19 + EF block length (%u bytes) invalid (< %d)\n";
20 static ZCONST char Far InvalidComprDataEAs[] =
21 " invalid compressed data for EAs\n";
22 # if (defined(WIN32) && defined(NTSD_EAS))
25 ebLen = (unsigned)makeword(ef+EB_LEN);
27 - if (ebLen > (ef_len - EB_HEADSIZE)) {
28 + if (ebLen > (ef_len - EB_HEADSIZE))
30 /* Discovered some extra field inconsistency! */
32 Info(slide, 1, ((char *)slide, "%-22s ",
33 @@ -2032,6 +2035,16 @@
34 ebLen, (ef_len - EB_HEADSIZE)));
37 + else if (ebLen < EB_HEADSIZE)
39 + /* Extra block length smaller than header length. */
41 + Info(slide, 1, ((char *)slide, "%-22s ",
42 + FnFilter1(G.filename)));
43 + Info(slide, 1, ((char *)slide, LoadFarString(TooSmallEFlength),
44 + ebLen, EB_HEADSIZE));