File libzip-CVE-2017-14107.patch of Package libzip

Overview Repositories Revisions Requests Users Attributes Meta

File libzip-CVE-2017-14107.patch of Package libzip

Index: libzip-0.11.1/lib/zip_open.c
===================================================================
--- libzip-0.11.1.orig/lib/zip_open.c	2017-09-06 14:50:09.872386069 +0200
+++ libzip-0.11.1/lib/zip_open.c	2017-09-06 14:50:09.876386143 +0200
@@ -726,7 +726,12 @@ _zip_read_eocd64(FILE *f, const zip_uint
         _zip_error_set(error, ZIP_ER_SEEK, EFBIG);
         return NULL;
     }
-    if ((flags & ZIP_CHECKCONS) && offset+size != eocd_offset) {
+    if (offset+size > buf_offset + eocd_offset) {
+	/* cdir spans past EOCD record */
+	_zip_error_set(error, ZIP_ER_INCONS, 0);
+	return NULL;
+    }
+    if ((flags & ZIP_CHECKCONS) && offset+size != buf_offset + eocd_offset) {
 	_zip_error_set(error, ZIP_ER_INCONS, 0);
 	return NULL;
     }
Index: libzip-0.11.1/regress/Makefile.am
===================================================================
--- libzip-0.11.1.orig/regress/Makefile.am	2013-04-17 10:58:09.000000000 +0200
+++ libzip-0.11.1/regress/Makefile.am	2017-09-06 14:51:42.470078673 +0200
@@ -129,7 +129,6 @@ TESTS= \
 	extra_add_multiple.test \
 	extra_count.test \
 	extra_count_by_id.test \
-	extra_count_ignore_zip64.test \
 	extra_get.test \
 	extra_get_by_id.test \
 	file_comment_encmismatch.test \
@@ -143,7 +142,6 @@ TESTS= \
 	open_extrabytes.test \
 	open_filename_empty.test \
 	open_incons.test \
-	open_many_ok.test \
 	open_new_but_exists.test \
 	open_new_ok.test \
 	open_nonarchive.test \
@@ -185,10 +183,12 @@ DISABLED_TESTS= \
 	encoding-cp437.test \
 	encoding-cp437-all.test \
 	encoding-utf-8.test \
+	extra_count_ignore_zip64.test \
 	open_filename_duplicate.test \
 	open_filename_duplicate_consistency.test \
 	open_filename_duplicate_empty.test \
 	open_filename_duplicate_empty_consistency.test \
+	open_many_ok.test \
 	torrent-new.test
 
 AM_CPPFLAGS=-I${top_srcdir}/lib -I../lib -I${top_srcdir}/src

Places

File libzip-CVE-2017-14107.patch of Package libzip

Places