You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
31 lines
1.2 KiB
31 lines
1.2 KiB
From 18c6c043bd7d8f139f30e9c7749013115d5fc5b7 Mon Sep 17 00:00:00 2001
|
|
From: Valentin Lefebvre <valentin.lefebvre@suse.com>
|
|
Date: Wed, 20 Sep 2023 12:04:56 +0200
|
|
Subject: [PATCH] mmappend.c: Avoid invalid access for header entry
|
|
|
|
* zzip_disk_entry_to_file_header checking the pointer by substraction
|
|
instead of addition where it could lead to an invalid access memory.
|
|
* CVE-2020-18770
|
|
|
|
Signed-off-by: Valentin Lefebvre <valentin.lefebvre@suse.com>
|
|
---
|
|
zzip/mmapped.c | 5 +++--
|
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/zzip/mmapped.c b/zzip/mmapped.c
|
|
index 2071882..beb094d 100644
|
|
--- a/zzip/mmapped.c
|
|
+++ b/zzip/mmapped.c
|
|
@@ -275,8 +275,9 @@ zzip_disk_entry_to_data(ZZIP_DISK * disk, struct zzip_disk_entry * entry)
|
|
struct zzip_file_header *
|
|
zzip_disk_entry_to_file_header(ZZIP_DISK * disk, struct zzip_disk_entry *entry)
|
|
{
|
|
- zzip_byte_t *const ptr = disk->buffer + zzip_disk_entry_fileoffset(entry);
|
|
- if (disk->buffer > ptr || ptr >= disk->endbuf)
|
|
+ zzip_off_t off = zzip_disk_entry_fileoffset(entry);
|
|
+ zzip_byte_t *const ptr = disk->buffer + off;
|
|
+ if (disk->buffer > ptr || disk->buffer >= disk->endbuf - off)
|
|
{
|
|
errno = EBADMSG;
|
|
return 0;
|