AuroraMiddleware/wxWidgets
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix unsigned integer overflow in ZIP reading code

Browse Source 
Blindly adding 4 to an unsigned length field could result in 0 and this
led to an infinite loop while iterating over all header fields.

Avoid this by promoting the length to int first, before adding 4 to it.

Credit to OSS-Fuzz: this solves its issue 4083.
This commit is contained in:
Vadim Zeitlin 2017-10-28 15:02:12 +02:00
parent 8fe3745b14
commit 5195e788d4
1 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/common/zipstrm.cpp
View File

@ -1065,9 +1065,13 @@ bool wxZipEntry::LoadExtraInfo(const char* extraData, wxUint16 extraLen, bool lo
return true; return true;
} }
fieldLen += 4; // Avoid "optimizing" the lines below by doing "fieldLen += 4" as this
extraData += fieldLen; // could overflow wxUint16 range and, at worst, make fieldLen equal to
extraLen -= fieldLen; // 0 resulting in an infinite loop. Written as it is now, everything is
// promoted to int, which has range large enough to deal with any value
// of the field length.
extraData += fieldLen + 4;
extraLen -= fieldLen + 4;
} }
// extraInfo had unknown format // extraInfo had unknown format