0028-Fix-for-CVE-2022-0529-and-CVE-2022-0530.patch (6754B)
- From 7c5862de85894d5387c855b5df6e5509c97f5bdf Mon Sep 17 00:00:00 2001
- From: "Steven M. Schweda" <sms@antinode.info>
- Date: Mon, 28 Apr 2025 12:57:34 -0700
- Subject: [PATCH] Fix for CVE-2022-0529 and CVE-2022-0530
- ---
- fileio.c | 34 +++++++++++++++++++++++++---------
- process.c | 55 ++++++++++++++++++++++++++++++++++++++++++++-----------
- 2 files changed, 69 insertions(+), 20 deletions(-)
- diff --git a/fileio.c b/fileio.c
- index 6290824..50a74fc 100644
- --- a/fileio.c
- +++ b/fileio.c
- @@ -171,8 +171,10 @@ static ZCONST char Far ReadError[] = "error: zipfile read error\n";
- static ZCONST char Far FilenameTooLongTrunc[] =
- "warning: filename too long--truncating.\n";
- #ifdef UNICODE_SUPPORT
- + static ZCONST char Far UFilenameCorrupt[] =
- + "error: Unicode filename corrupt.\n";
- static ZCONST char Far UFilenameTooLongTrunc[] =
- - "warning: Converted unicode filename too long--truncating.\n";
- + "warning: Converted Unicode filename too long--truncating.\n";
- #endif
- static ZCONST char Far ExtraFieldTooLong[] =
- "warning: extra field too long (%d). Ignoring...\n";
- @@ -2361,16 +2363,30 @@ int do_string(__G__ length, option) /* return PK-type error code */
- /* convert UTF-8 to local character set */
- fn = utf8_to_local_string(G.unipath_filename,
- G.unicode_escape_all);
- - /* make sure filename is short enough */
- - if (strlen(fn) >= FILNAMSIZ) {
- - fn[FILNAMSIZ - 1] = '\0';
- +
- + /* 2022-07-22 SMS, et al. CVE-2022-0530
- + * Detect conversion failure, emit message.
- + * Continue with unconverted name.
- + */
- + if (fn == NULL)
- + {
- Info(slide, 0x401, ((char *)slide,
- - LoadFarString(UFilenameTooLongTrunc)));
- - error = PK_WARN;
- + LoadFarString(UFilenameCorrupt)));
- + error = PK_ERR;
- + }
- + else
- + {
- + /* make sure filename is short enough */
- + if (strlen(fn) >= FILNAMSIZ) {
- + fn[FILNAMSIZ - 1] = '\0';
- + Info(slide, 0x401, ((char *)slide,
- + LoadFarString(UFilenameTooLongTrunc)));
- + error = PK_WARN;
- + }
- + /* replace filename with converted UTF-8 */
- + strcpy(G.filename, fn);
- + free(fn);
- }
- - /* replace filename with converted UTF-8 */
- - strcpy(G.filename, fn);
- - free(fn);
- }
- # endif /* UNICODE_WCHAR */
- if (G.unipath_filename != G.filename_full)
- diff --git a/process.c b/process.c
- index d2a846e..a7d5b87 100644
- --- a/process.c
- +++ b/process.c
- @@ -222,6 +222,8 @@ static ZCONST char Far ZipfileCommTrunc1[] =
- "\nwarning: Unicode Path version > 1\n";
- static ZCONST char Far UnicodeMismatchError[] =
- "\nwarning: Unicode Path checksum invalid\n";
- + static ZCONST char Far UFilenameTooLongTrunc[] =
- + "warning: filename too long (P1) -- truncating.\n";
- #endif
- @@ -1915,7 +1917,7 @@ int getZip64Data(__G__ ef_buf, ef_len)
- Sets both local header and central header fields. Not terribly clever,
- but it means that this procedure is only called in one place.
- - 2014-12-05 SMS.
- + 2014-12-05 SMS. (oCERT.org report.) CVE-2014-8141.
- Added checks to ensure that enough data are available before calling
- makeint64() or makelong(). Replaced various sizeof() values with
- simple ("4" or "8") constants. (The Zip64 structures do not depend
- @@ -1947,9 +1949,10 @@ int getZip64Data(__G__ ef_buf, ef_len)
- ef_len - EB_HEADSIZE));
- break;
- }
- +
- if (eb_id == EF_PKSZ64)
- {
- - int offset = EB_HEADSIZE;
- + unsigned offset = EB_HEADSIZE;
- if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL))
- {
- @@ -2046,7 +2049,7 @@ int getUnicodeData(__G__ ef_buf, ef_len)
- }
- if (eb_id == EF_UNIPATH) {
- - int offset = EB_HEADSIZE;
- + unsigned offset = EB_HEADSIZE;
- ush ULen = eb_len - 5;
- ulg chksum = CRCVAL_INITIAL;
- @@ -2504,16 +2507,17 @@ char *wide_to_local_string(wide_string, escape_all)
- int state_dependent;
- int wsize = 0;
- int max_bytes = MB_CUR_MAX;
- - char buf[9];
- + char buf[ MB_CUR_MAX+ 1]; /* ("+1" not really needed?) */
- char *buffer = NULL;
- char *local_string = NULL;
- + size_t buffer_size; /* CVE-2022-0529 */
- for (wsize = 0; wide_string[wsize]; wsize++) ;
- if (max_bytes < MAX_ESCAPE_BYTES)
- max_bytes = MAX_ESCAPE_BYTES;
- -
- - if ((buffer = (char *)malloc(wsize * max_bytes + 1)) == NULL) {
- + buffer_size = wsize * max_bytes + 1; /* Reused below. */
- + if ((buffer = (char *)malloc( buffer_size)) == NULL) {
- return NULL;
- }
- @@ -2551,8 +2555,28 @@ char *wide_to_local_string(wide_string, escape_all)
- } else {
- /* no MB for this wide */
- /* use escape for wide character */
- - char *escape_string = wide_to_escape_string(wide_string[i]);
- - strcat(buffer, escape_string);
- + size_t buffer_len;
- + size_t escape_string_len;
- + char *escape_string;
- + int err_msg = 0;
- +
- + escape_string = wide_to_escape_string(wide_string[i]);
- + buffer_len = strlen( buffer);
- + escape_string_len = strlen( escape_string);
- +
- + /* Append escape string, as space allows. */
- + /* 2022-07-18 SMS, et al. CVE-2022-0529 */
- + if (escape_string_len > buffer_size- buffer_len- 1)
- + {
- + escape_string_len = buffer_size- buffer_len- 1;
- + if (err_msg == 0)
- + {
- + err_msg = 1;
- + Info(slide, 0x401, ((char *)slide,
- + LoadFarString( UFilenameTooLongTrunc)));
- + }
- + }
- + strncat( buffer, escape_string, escape_string_len);
- free(escape_string);
- }
- }
- @@ -2604,9 +2628,18 @@ char *utf8_to_local_string(utf8_string, escape_all)
- ZCONST char *utf8_string;
- int escape_all;
- {
- - zwchar *wide = utf8_to_wide_string(utf8_string);
- - char *loc = wide_to_local_string(wide, escape_all);
- - free(wide);
- + zwchar *wide;
- + char *loc = NULL;
- +
- + wide = utf8_to_wide_string( utf8_string);
- +
- + /* 2022-07-25 SMS, et al. CVE-2022-0530 */
- + if (wide != NULL)
- + {
- + loc = wide_to_local_string( wide, escape_all);
- + free( wide);
- + }
- +
- return loc;
- }
- --
- 2.45.2