diff options
author | Caolán McNamara <caolanm@redhat.com> | 2023-03-09 09:25:32 +0000 |
---|---|---|
committer | Caolán McNamara <caolanm@redhat.com> | 2023-03-09 10:18:42 +0000 |
commit | 59b0f676758dd752457c84fb4159f6446d74e8a4 (patch) | |
tree | 32ce9ec9ed1050bcb78d28c92ca782b623e950ea /package | |
parent | ddd2e00278eb489576eb4c63f44a1a034e7b9d8e (diff) |
ofz#56826 Heap-use-after-free
since:
commit abda72eeac19b18c22f57d5443c3955a463605d7
Date: Mon Feb 20 00:32:22 2023 +0100
tdf#82984 tdf#94915 zip64 support (import + export)
Change-Id: Iffc1c54b3ccc5464e217d7f94ecc34b57ec1afb1
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/148526
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Diffstat (limited to 'package')
-rw-r--r-- | package/qa/cppunit/data/pass/ofz56826-1.zip | bin | 0 -> 155 bytes | |||
-rw-r--r-- | package/source/zipapi/MemoryByteGrabber.hxx | 10 | ||||
-rw-r--r-- | package/source/zipapi/ZipFile.cxx | 4 |
3 files changed, 12 insertions, 2 deletions
diff --git a/package/qa/cppunit/data/pass/ofz56826-1.zip b/package/qa/cppunit/data/pass/ofz56826-1.zip Binary files differnew file mode 100644 index 000000000000..b9acfe34da14 --- /dev/null +++ b/package/qa/cppunit/data/pass/ofz56826-1.zip diff --git a/package/source/zipapi/MemoryByteGrabber.hxx b/package/source/zipapi/MemoryByteGrabber.hxx index a4d9f0b1ba49..de59756d2187 100644 --- a/package/source/zipapi/MemoryByteGrabber.hxx +++ b/package/source/zipapi/MemoryByteGrabber.hxx @@ -58,6 +58,16 @@ public: nInt16 |= ( mpBuffer[mnCurrent++] & 0xFF ) << 8; return nInt16; } + + sal_Int16 ReadUInt16() + { + if (mnCurrent + 2 > mnEnd ) + return 0; + sal_uInt16 nInt16 = mpBuffer[mnCurrent++] & 0xFF; + nInt16 |= ( mpBuffer[mnCurrent++] & 0xFF ) << 8; + return nInt16; + } + sal_Int32 ReadInt32() { if (mnCurrent + 4 > mnEnd ) diff --git a/package/source/zipapi/ZipFile.cxx b/package/source/zipapi/ZipFile.cxx index 41325f47e38f..78d746ac1b70 100644 --- a/package/source/zipapi/ZipFile.cxx +++ b/package/source/zipapi/ZipFile.cxx @@ -1002,12 +1002,12 @@ void ZipFile::readExtraFields(MemoryByteGrabber& aMemGrabber, sal_Int16 nExtraLe while (nExtraLen > 0) // Extensible data fields { sal_Int16 nheaderID = aMemGrabber.ReadInt16(); - sal_Int16 dataSize = aMemGrabber.ReadInt16(); + sal_uInt16 dataSize = aMemGrabber.ReadUInt16(); if (nheaderID == 1) // Load Zip64 Extended Information Extra Field { // Datasize should be 28byte but some files have less (maybe non standard?) nSize = aMemGrabber.ReadUInt64(); - sal_Int16 nReadSize = 8; + sal_uInt16 nReadSize = 8; if (dataSize >= 16) { nCompressedSize = aMemGrabber.ReadUInt64(); |