File CVE-2016-8689.patch of Package libarchive.9088

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2016-8689.patch of Package libarchive.9088

commit 7f17c791dcfd8c0416e2cd2485b19410e47ef126
Author: Tim Kientzle <kientzle@acm.org>
Date:   Sun Sep 18 18:14:58 2016 -0700

Issue 761:  Heap overflow reading corrupted 7Zip files
    
    The sample file that demonstrated this had multiple 'EmptyStream'
    attributes.  The first one ended up being used to calculate
    certain statistics, then was overwritten by the second which
    was incompatible with those statistics.
    
    The fix here is to reject any header with multiple EmptyStream
    attributes.  While here, also reject headers with multiple
    EmptyFile, AntiFile, Name, or Attributes markers.

Index: libarchive-3.1.2/libarchive/archive_read_support_format_7zip.c
===================================================================
--- libarchive-3.1.2.orig/libarchive/archive_read_support_format_7zip.c
+++ libarchive-3.1.2/libarchive/archive_read_support_format_7zip.c
@@ -2337,6 +2337,8 @@ read_Header(struct archive_read *a, stru
 
 		switch (type) {
 		case kEmptyStream:
+			if (h->emptyStreamBools != NULL)
+				return (-1);
 			h->emptyStreamBools = calloc((size_t)zip->numFiles,
 			    sizeof(*h->emptyStreamBools));
 			if (h->emptyStreamBools == NULL)
@@ -2357,6 +2359,8 @@ read_Header(struct archive_read *a, stru
 					return (-1);
 				break;
 			}
+			if (h->emptyFileBools != NULL)
+				return (-1);
 			h->emptyFileBools = calloc(empty_streams,
 			    sizeof(*h->emptyFileBools));
 			if (h->emptyFileBools == NULL)
@@ -2371,6 +2375,8 @@ read_Header(struct archive_read *a, stru
 					return (-1);
 				break;
 			}
+			if (h->antiBools != NULL)
+				return (-1);
 			h->antiBools = calloc(empty_streams,
 			    sizeof(*h->antiBools));
 			if (h->antiBools == NULL)
@@ -2397,6 +2403,8 @@ read_Header(struct archive_read *a, stru
 			if ((ll & 1) || ll < zip->numFiles * 4)
 				return (-1);
 
+			if (zip->entry_names != NULL)
+				return (-1);
 			zip->entry_names = malloc(ll);
 			if (zip->entry_names == NULL)
 				return (-1);
@@ -2449,6 +2457,8 @@ read_Header(struct archive_read *a, stru
 			if ((p = header_bytes(a, 2)) == NULL)
 				return (-1);
 			allAreDefined = *p;
+			if (h->attrBools != NULL)
+				return (-1);
 			h->attrBools = calloc((size_t)zip->numFiles,
 			    sizeof(*h->attrBools));
 			if (h->attrBools == NULL)

Places

File CVE-2016-8689.patch of Package libarchive.9088

Places