solemnwarning/wxwidgets
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 4

Fix integer overflow when reading ZIP central directory

Browse source 
Our code didn't convert 32-bit offset to (possibly 64-bit) m_Offset
correctly in the first place, and didn't check if the offset remained
valid after adjustment.

Fix both problems by using explicit cast and checking for the latter
explicitly.

Credit to OSS-Fuzz: this solves its issue 20527.
This commit is contained in:
Vadim Zeitlin 2020-05-02 03:38:57 +02:00
parent 37485130cc
commit 2be019f8f8
1 changed files with 14 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

16
src/common/zipstrm.cpp
View file

@ -1852,8 +1852,20 @@ wxStreamError wxZipInputStream::ReadCentral()
m_position += size;
m_signature = ReadSignature();
if (m_offsetAdjustment)
m_entry.SetOffset(m_entry.GetOffset() + m_offsetAdjustment);
if (m_offsetAdjustment) {
// Offset read from the stream is 4 bytes independently of the
// platform, but it's not clear if it can become greater than max
// 32-bit value after adjustment. For now consider that it can't.
wxFileOffset ofs = wxUint32(m_entry.GetOffset());
ofs += m_offsetAdjustment;
if (ofs > wxUINT32_MAX) {
m_signature = 0;
return wxSTREAM_READ_ERROR;
}
m_entry.SetOffset(ofs);
}
m_entry.SetKey(m_entry.GetOffset());
return wxSTREAM_NO_ERROR;