Backport and apply upstream patch for CVE-2017-14107

weltling · weltling · commit f6e8ce812174 · 2017-10-27T13:16:56.000+02:00
diff --git a/ext/zip/lib/zip_open.c b/ext/zip/lib/zip_open.c
@@ -726,7 +726,12 @@ _zip_read_eocd64(FILE *f, const zip_uint8_t *eocd64loc, const zip_uint8_t *buf,
         _zip_error_set(error, ZIP_ER_SEEK, EFBIG);
         return NULL;
     }
-    if ((flags & ZIP_CHECKCONS) && offset+size != eocd_offset) {
+    if (offset+size > buf_offset + eocd_offset) {
+	/* cdir spans past EOCD record */
+	_zip_error_set(error, ZIP_ER_INCONS, 0);
+	return NULL;
+    }
+    if ((flags & ZIP_CHECKCONS) && offset+size != buf_offset + eocd_offset) {
 	_zip_error_set(error, ZIP_ER_INCONS, 0);
 	return NULL;
     }

Original file line number	Diff line number	Diff line change
`@@ -726,7 +726,12 @@ _zip_read_eocd64(FILE f, const zip_uint8_t eocd64loc, const zip_uint8_t *buf,`
`726`	`726`	`_zip_error_set(error, ZIP_ER_SEEK, EFBIG);`
`727`	`727`	`return NULL;`
`728`	`728`	`}`
`729`		`- if ((flags & ZIP_CHECKCONS) && offset+size != eocd_offset) {`
	`729`	`+ if (offset+size > buf_offset + eocd_offset) {`
	`730`	`+ /* cdir spans past EOCD record */`
	`731`	`+ _zip_error_set(error, ZIP_ER_INCONS, 0);`
	`732`	`+ return NULL;`
	`733`	`+ }`
	`734`	`+ if ((flags & ZIP_CHECKCONS) && offset+size != buf_offset + eocd_offset) {`
`730`	`735`	`_zip_error_set(error, ZIP_ER_INCONS, 0);`
`731`	`736`	`return NULL;`
`732`	`737`	`}`