- fix crash (double free) on malformed zip archive CVE-2008-0888 (#431438)

This commit is contained in:
Ivana Varekova 2008-03-19 13:58:17 +00:00
parent 0cb543d779
commit df1d2d8a93
2 changed files with 49 additions and 1 deletions

View File

@ -0,0 +1,42 @@
diff -up unzip-5.52/inflate.c.pom unzip-5.52/inflate.c
--- unzip-5.52/inflate.c.pom 2005-02-27 07:08:46.000000000 +0100
+++ unzip-5.52/inflate.c 2008-03-19 14:47:58.000000000 +0100
@@ -983,6 +983,7 @@ static int inflate_dynamic(__G)
unsigned l; /* last length */
unsigned m; /* mask for bit lengths table */
unsigned n; /* number of lengths to get */
+ struct huft *tlp;
struct huft *tl; /* literal/length code table */
struct huft *td; /* distance code table */
unsigned bl; /* lookup bits for tl */
@@ -995,6 +996,7 @@ static int inflate_dynamic(__G)
register unsigned k; /* number of bits in bit buffer */
int retval = 0; /* error code returned: initialized to "no error" */
+ td = tlp = tl = (struct huft *)NULL;
/* make local bit buffer */
Trace((stderr, "\ndynamic block"));
@@ -1047,9 +1049,9 @@ static int inflate_dynamic(__G)
while (i < n)
{
NEEDBITS(bl)
- j = (td = tl + ((unsigned)b & m))->b;
+ j = (tlp = tl + ((unsigned)b & m))->b;
DUMPBITS(j)
- j = td->v.n;
+ j = tlp->v.n;
if (j < 16) /* length of code in bits (0..15) */
ll[i++] = l = j; /* save last length in l */
else if (j == 16) /* repeat last length 3 to 6 times */
@@ -1149,8 +1151,8 @@ static int inflate_dynamic(__G)
cleanup_and_exit:
/* free the decoding tables, return */
- huft_free(tl);
- huft_free(td);
+ if (tl) huft_free(tl);
+ if (td) huft_free(td);
return retval;
}

View File

@ -1,7 +1,7 @@
Summary: A utility for unpacking zip files
Name: unzip
Version: 5.52
Release: 8%{?dist}
Release: 9%{?dist}
License: BSD
Group: Applications/Archiving
Source: ftp://ftp.info-zip.org/pub/infozip/src/unzip552.tar.gz
@ -17,6 +17,7 @@ Patch11: unzip-5.52-open.patch
Patch12: unzip-5.52-4GB3.patch
Patch13: unzip-5.52-4GB_types.patch
Patch14: unzip-5.52-249057.patch
Patch15: unzip-5.52-cve-2008-0888.patch
URL: http://www.info-zip.org/pub/infozip/UnZip.html
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@ -45,6 +46,7 @@ a zip archive.
%patch12 -p1 -b .4GB3
%patch13 -p1 -b .4BG4
%patch14 -p1 -b .err
%patch15 -p1 -b .cve-2008-0888
ln -s unix/Makefile Makefile
%build
@ -65,6 +67,10 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/*/*
%changelog
* Wed Mar 19 2008 Ivana Varekova <varekova@redhat.com> - 5.52-9
- fix crash (double free) on malformed zip archive
CVE-2008-0888 (#431438)
* Fri Feb 8 2008 Ivana Varekova <varekova@redhat.com> - 5.52-8
- fix output when out of space error appears