File libmspack-qtmd_decompress-loop.patch of Package libmspack.26620

https://sourceforge.net/p/libmspack/code/199/

2015-01-05  Stuart Caie <kyzer@4u.net>

	* cabd_can_merge_folders(): disallow folder merging if the combined
	folder would have more than 65535 data blocks.

	* cabd_decompress(): disallow files if their offset, length or
	offset+length is more than 65535*32768, the maximum size of any
	folder. Thanks to Jakub Wilk for identifying the problem and providing
	a sample file.

--- a/libmspack/trunk/mspack/cabd.c
+++ b/libmspack/trunk/mspack/cabd.c
@@ -937,6 +937,12 @@
         return 0;
     }
 
+    /* check there are not too many data blocks after merging */
+    if ((lfol->base.num_blocks + rfol->base.num_blocks) > CAB_FOLDERMAX) {
+        D(("folder merge: too many data blocks in merged folders"))
+        return 0;
+    }
+
     if (!(lfi = lfol->merge_next) || !(rfi = rfol->merge_prev)) {
         D(("folder merge: one cabinet has no files to merge"))
         return 0;
@@ -988,6 +994,13 @@
 
   sys = self->system;
   fol = (struct mscabd_folder_p *) file->folder;
+
+  /* validate the file's offset and length */
+  if ( (file->offset > CAB_LENGTHMAX) || (file->length > CAB_LENGTHMAX) ||
+      ((file->offset + file->length) > CAB_LENGTHMAX))
+  {
+    return self->error = MSPACK_ERR_DATAFORMAT;
+  }
 
   /* check if file can be extracted */
   if ((!fol) || (fol->merge_prev) ||
--- a/libmspack/trunk/mspack/cab.h
+++ b/libmspack/trunk/mspack/cab.h
@@ -70,6 +70,13 @@
 #define CAB_BLOCKMAX (32768)
 #define CAB_INPUTMAX (CAB_BLOCKMAX+6144)
 
+/* There are no more than 65535 data blocks per folder, so a folder cannot
+ * be more than 32768*65535 bytes in length. As files cannot span more than
+ * one folder, this is also their max offset, length and offset+length limit.
+ */
+#define CAB_FOLDERMAX (65535)
+#define CAB_LENGTHMAX (CAB_BLOCKMAX * CAB_FOLDERMAX)
+
 /* CAB compression definitions */
 
 struct mscab_compressor_p {