community/zziplib/CVE-2018-16548.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146

From 9411bde3e4a70a81ff3ffd256b71927b2d90dcbb Mon Sep 17 00:00:00 2001
From: jmoellers <josef.moellers@suse.com>
Date: Fri, 7 Sep 2018 11:32:04 +0200
Subject: [PATCH] Avoid memory leak from __zzip_parse_root_directory().

---
 test/test.zip | Bin 1361 -> 1361 bytes
 zzip/zip.c    |  36 ++++++++++++++++++++++++++++++++++--
 2 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/zzip/zip.c b/zzip/zip.c
index 88b833b..a685280 100644
--- a/zzip/zip.c
+++ b/zzip/zip.c
@@ -475,9 +475,15 @@ __zzip_parse_root_directory(int fd,
         } else
         {
             if (io->fd.seeks(fd, zz_rootseek + zz_offset, SEEK_SET) < 0)
+	    {
+	    	free(hdr0);
                 return ZZIP_DIR_SEEK;
+	    }
             if (io->fd.read(fd, &dirent, sizeof(dirent)) < __sizeof(dirent))
+	    {
+	    	free(hdr0);
                 return ZZIP_DIR_READ;
+	    }
             d = &dirent;
         }
 
@@ -577,12 +583,38 @@ __zzip_parse_root_directory(int fd,
 
         if (hdr_return)
             *hdr_return = hdr0;
+	else
+	{
+	    /* If it is not assigned to *hdr_return, it will never be free()'d */
+	    free(hdr0);
+	    /* Make sure we don't free it again in case of error */
+	    hdr0 = NULL;
+	}
     }                           /* else zero (sane) entries */
 #  ifndef ZZIP_ALLOW_MODULO_ENTRIES
-    return (entries != zz_entries ? ZZIP_CORRUPTED : 0);
+    if (entries != zz_entries)
+    {
+	/* If it was assigned to *hdr_return, undo assignment */
+	if (p_reclen && hdr_return)
+	    *hdr_return = NULL;
+	/* Free it, if it was not already free()'d */
+	if (hdr0 != NULL)
+	    free(hdr0);
+	return ZZIP_CORRUPTED;
+    }
 #  else
-    return ((entries & (unsigned)0xFFFF) != zz_entries ? ZZIP_CORRUPTED : 0);
+    if (((entries & (unsigned)0xFFFF) != zz_entries)
+    {
+	/* If it was assigned to *hdr_return, undo assignment */
+	if (p_reclen && hdr_return)
+	    *hdr_return = NULL;
+	/* Free it, if it was not already free()'d */
+	if (hdr0 != NULL)
+	    free(hdr0);
+	return ZZIP_CORRUPTED;
+    }
 #  endif
+    return 0;
 }
 
 /* ------------------------- high-level interface ------------------------- */

From d2e5d5c53212e54a97ad64b793a4389193fec687 Mon Sep 17 00:00:00 2001
From: jmoellers <josef.moellers@suse.com>
Date: Fri, 7 Sep 2018 11:49:28 +0200
Subject: [PATCH] Avoid memory leak from __zzip_parse_root_directory().

---
 zzip/zip.c | 25 ++-----------------------
 1 file changed, 2 insertions(+), 23 deletions(-)

diff --git a/zzip/zip.c b/zzip/zip.c
index a685280..51a1a4d 100644
--- a/zzip/zip.c
+++ b/zzip/zip.c
@@ -587,34 +587,13 @@ __zzip_parse_root_directory(int fd,
 	{
 	    /* If it is not assigned to *hdr_return, it will never be free()'d */
 	    free(hdr0);
-	    /* Make sure we don't free it again in case of error */
-	    hdr0 = NULL;
 	}
     }                           /* else zero (sane) entries */
 #  ifndef ZZIP_ALLOW_MODULO_ENTRIES
-    if (entries != zz_entries)
-    {
-	/* If it was assigned to *hdr_return, undo assignment */
-	if (p_reclen && hdr_return)
-	    *hdr_return = NULL;
-	/* Free it, if it was not already free()'d */
-	if (hdr0 != NULL)
-	    free(hdr0);
-	return ZZIP_CORRUPTED;
-    }
+    return (entries != zz_entries) ? ZZIP_CORRUPTED : 0;
 #  else
-    if (((entries & (unsigned)0xFFFF) != zz_entries)
-    {
-	/* If it was assigned to *hdr_return, undo assignment */
-	if (p_reclen && hdr_return)
-	    *hdr_return = NULL;
-	/* Free it, if it was not already free()'d */
-	if (hdr0 != NULL)
-	    free(hdr0);
-	return ZZIP_CORRUPTED;
-    }
+    return ((entries & (unsigned)0xFFFF) != zz_entries) ? ZZIP_CORRUPTED : 0;
 #  endif
-    return 0;
 }
 
 /* ------------------------- high-level interface ------------------------- */

From 0e1dadb05c1473b9df2d7b8f298dab801778ef99 Mon Sep 17 00:00:00 2001
From: jmoellers <josef.moellers@suse.com>
Date: Fri, 7 Sep 2018 13:55:35 +0200
Subject: [PATCH] One more free() to avoid memory leak.

---
 zzip/zip.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/zzip/zip.c b/zzip/zip.c
index 51a1a4d..bc6c080 100644
--- a/zzip/zip.c
+++ b/zzip/zip.c
@@ -589,6 +589,8 @@ __zzip_parse_root_directory(int fd,
 	    free(hdr0);
 	}
     }                           /* else zero (sane) entries */
+    else
+        free(hdr0);
 #  ifndef ZZIP_ALLOW_MODULO_ENTRIES
     return (entries != zz_entries) ? ZZIP_CORRUPTED : 0;
 #  else