AuroraMiddleware/wxWidgets
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix unsigned integer overflow in ZIP reading code

Browse Source 
Blindly adding 4 to an unsigned length field could result in 0 and this
led to an infinite loop while iterating over all header fields.

Avoid this by promoting the length to int first, before adding 4 to it.

Credit to OSS-Fuzz: this solves its issue 4083.
This commit is contained in:
Vadim Zeitlin 2017-10-28 15:02:12 +02:00
parent 8fe3745b14
commit 5195e788d4
1 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/common/zipstrm.cpp
View File

@ -1065,9 +1065,13 @@ bool wxZipEntry::LoadExtraInfo(const char* extraData, wxUint16 extraLen, bool lo
return true;
}
fieldLen += 4;
extraData += fieldLen;
extraLen -= fieldLen;
// Avoid "optimizing" the lines below by doing "fieldLen += 4" as this
// could overflow wxUint16 range and, at worst, make fieldLen equal to
// 0 resulting in an infinite loop. Written as it is now, everything is
// promoted to int, which has range large enough to deal with any value
// of the field length.
extraData += fieldLen + 4;
extraLen -= fieldLen + 4;
}
// extraInfo had unknown format