oss-sec mailing list archives

Re: unzip -t crasher

From: mancha <mancha1 () zoho com>
Date: Mon, 3 Nov 2014 20:24:28 +0000

On Mon, Nov 03, 2014 at 11:05:43AM +0000, mancha wrote:

This buggy code path is traversed when a ZIP archive has <<extra
fields>> with blocks that are uncompressed (i.e. using the STORED
method). A better solution than my last patch or malloc'ing max(),
is returning an invalid compressed data error when size(compressed)!=
size(uncompressed) for these cases. The attached patch does just that.
Comments welcome.

Cheers.

--mancha

PS I have been CC'ing Christian Spieler via the only email I could find
online. I've not gotten bounces so it might still be active.


By the way, I've removed the original patch (unzip-6.0_overflow.diff)
from SF. Folks should use unzip-6.0_overflow2.diff instead:

http://sf.net/projects/mancha/files/sec/unzip-6.0_overflow2.diff

--mancha

Attachment: _bin
Description:

Current thread:

unzip -t crasher Jakub Wilk (Nov 02)
- Re: unzip -t crasher Dave Horsfall (Nov 02)
- Re: unzip -t crasher Murray McAllister (Nov 02)
- Re: unzip -t crasher mancha (Nov 02)
  - Re: unzip -t crasher mancha (Nov 03)
    - Re: unzip -t crasher mancha (Nov 03)