File Fix-CVE-2014-9636-unzip-buffer-overflow.patch of Package unzip.362

From 10e062dc23e96ab67b6ef7bc1506cb7341584fee Mon Sep 17 00:00:00 2001
From: mancha <mancha1@zoho.com>
Date: Tue, 27 Jan 2015 23:04:44 +0100
Subject: [PATCH] Fix CVE-2014-9636 unzip buffer overflow

By carefully crafting a corrupt ZIP archive with "extra fields" that
purport to have compressed blocks larger than the corresponding
uncompressed blocks in STORED no-compression mode, an attacker can
trigger a heap overflow that can result in application crash or
possibly have other unspecified impact.

This patch ensures that when extra fields use STORED mode, the
"compressed" and uncompressed block sizes match.
---
 extract.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/extract.c b/extract.c
index 5d27e4b..06c4605 100644
--- a/extract.c
+++ b/extract.c
@@ -2230,6 +2230,7 @@ static int test_compr_eb(__G__ eb, eb_size, compr_offset, test_uc_ebdata)
     ulg eb_ucsize;
     uch *eb_ucptr;
     int r;
+    ush method;
 
     if (compr_offset < 4)                /* field is not compressed: */
         return PK_OK;                    /* do nothing and signal OK */
@@ -2246,6 +2247,12 @@ static int test_compr_eb(__G__ eb, eb_size, compr_offset, test_uc_ebdata)
      ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
         return IZ_EF_TRUNC;             /* no/bad compressed data! */
 
+    method = makeword(eb + (EB_HEADSIZE + compr_offset));
+    if ((method == STORED) && (eb_size - compr_offset != eb_ucsize))
+	return PK_ERR;			  /* compressed & uncompressed
+					   * should match in STORED
+					   * method */
+
     if (
 #ifdef INT_16BIT
         (((ulg)(extent)eb_ucsize) != eb_ucsize) ||
-- 
1.8.4.5