From bb7e7b1df18f2e55cd1f562980556b3c3b122065 Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Thu, 9 Mar 2023 09:25:32 +0000
Subject: ofz#56826 Heap-use-after-free
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

since:

commit abda72eeac19b18c22f57d5443c3955a463605d7
Date:   Mon Feb 20 00:32:22 2023 +0100

    tdf#82984 tdf#94915 zip64 support (import + export)

Change-Id: Iffc1c54b3ccc5464e217d7f94ecc34b57ec1afb1
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/148526
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/148502
Tested-by: Andras Timar <andras.timar@collabora.com>
Reviewed-by: Andras Timar <andras.timar@collabora.com>
---
 package/qa/cppunit/data/pass/ofz56826-1.zip | Bin 0 -> 155 bytes
 package/source/zipapi/MemoryByteGrabber.hxx |  10 ++++++++++
 package/source/zipapi/ZipFile.cxx           |   4 ++--
 3 files changed, 12 insertions(+), 2 deletions(-)
 create mode 100644 package/qa/cppunit/data/pass/ofz56826-1.zip

(limited to 'package')

diff --git a/package/qa/cppunit/data/pass/ofz56826-1.zip b/package/qa/cppunit/data/pass/ofz56826-1.zip
new file mode 100644
index 000000000000..b9acfe34da14
Binary files /dev/null and b/package/qa/cppunit/data/pass/ofz56826-1.zip differ
diff --git a/package/source/zipapi/MemoryByteGrabber.hxx b/package/source/zipapi/MemoryByteGrabber.hxx
index a4d9f0b1ba49..de59756d2187 100644
--- a/package/source/zipapi/MemoryByteGrabber.hxx
+++ b/package/source/zipapi/MemoryByteGrabber.hxx
@@ -58,6 +58,16 @@ public:
         nInt16 |= ( mpBuffer[mnCurrent++] & 0xFF ) << 8;
         return nInt16;
     }
+
+    sal_Int16 ReadUInt16()
+    {
+        if (mnCurrent + 2 > mnEnd )
+            return 0;
+        sal_uInt16 nInt16  =  mpBuffer[mnCurrent++] & 0xFF;
+        nInt16 |= ( mpBuffer[mnCurrent++] & 0xFF ) << 8;
+        return nInt16;
+    }
+
     sal_Int32 ReadInt32()
     {
         if (mnCurrent + 4 > mnEnd )
diff --git a/package/source/zipapi/ZipFile.cxx b/package/source/zipapi/ZipFile.cxx
index 49231dbf59d8..06e55485b9bf 100644
--- a/package/source/zipapi/ZipFile.cxx
+++ b/package/source/zipapi/ZipFile.cxx
@@ -1024,12 +1024,12 @@ void ZipFile::readExtraFields(MemoryByteGrabber& aMemGrabber, sal_Int16 nExtraLe
     while (nExtraLen > 0) // Extensible data fields
     {
         sal_Int16 nheaderID = aMemGrabber.ReadInt16();
-        sal_Int16 dataSize = aMemGrabber.ReadInt16();
+        sal_uInt16 dataSize = aMemGrabber.ReadUInt16();
         if (nheaderID == 1) // Load Zip64 Extended Information Extra Field
         {
             // Datasize should be 28byte but some files have less (maybe non standard?)
             nSize = aMemGrabber.ReadUInt64();
-            sal_Int16 nReadSize = 8;
+            sal_uInt16 nReadSize = 8;
             if (dataSize >= 16)
             {
                 nCompressedSize = aMemGrabber.ReadUInt64();
-- 
cgit