File bsc1227178-fetch_disk_trailer-Don-t-truncate-the-size-verif.patch of Package zziplib.35221
diff -Ppdru zziplib-0.13.67-orig/zzip/zip.c zziplib-0.13.67/zzip/zip.c
--- zziplib-0.13.67-orig/zzip/zip.c 2024-08-12 15:03:56.051553001 +0200
+++ zziplib-0.13.67/zzip/zip.c 2024-08-12 15:18:07.862841275 +0200
@@ -287,6 +287,10 @@ __zzip_fetch_disk_trailer(int fd, zzip_o
HINT5("offs=$%lx len=%li filesize=%li pagesize=%i",
(long) offset, (long) maplen, (long) filesize, ZZIP_BUFSIZ);
}
+ /* if the file-comment is not present, it happens that the z_comment field
+ often isn't either. The actual zip_disk_trailer is a bit shorter then,
+ with __sizeof(((struct zzip_disk_trailer*)(0))->z_comment) == 2 */
+#define __sizeof_z_comment 2
{ /* now, check for the trailer-magic, hopefully near the end of file */
register unsigned char *end = mapped + maplen;
@@ -294,18 +298,16 @@ __zzip_fetch_disk_trailer(int fd, zzip_o
for (tail = end - 1; (tail >= mapped); tail--)
{
if ((*tail == 'P') && /* quick pre-check for trailer magic */
- end - tail >= __sizeof(struct zzip_disk_trailer) - 2 &&
+ end - tail >= __sizeof(struct zzip_disk_trailer) - __sizeof_z_comment &&
zzip_disk_trailer_check_magic(tail))
{
# ifndef ZZIP_DISK64_TRAILER
- /* if the file-comment is not present, it happens
- that the z_comment field often isn't either */
if (end - tail >= __sizeof(*trailer))
{
memcpy(trailer, tail, sizeof(*trailer));
} else
{
- memcpy(trailer, tail, sizeof(*trailer) - 2);
+ memcpy(trailer, tail, sizeof(*trailer) - __sizeof_z_comment);
trailer->z_comment[0] = 0;
trailer->z_comment[1] = 0;
}
@@ -330,7 +332,7 @@ __zzip_fetch_disk_trailer(int fd, zzip_o
{ return(0); }
} else if ((*tail == 'P') &&
end - tail >=
- __sizeof(struct zzip_disk64_trailer) - 2
+ __sizeof(struct zzip_disk64_trailer)
&& zzip_disk64_trailer_check_magic(tail))
{
# ifndef ZZIP_DISK64_TRAILER
