Fix a buffer overread in the zipfile extension code.

FossilOrigin-Name: 70c2c99b6f12a3467c23b44adcaf2d7d780ba8317b72de2f6730b1d892cf0c85

diff --git a/ext/misc/zipfile.c b/ext/misc/zipfile.c
index 9e78e7230590070bcdfd9924b6fd2226a7a01d30..e5e64308ef86b126feb7a5ebb6a5fe2b41b396a4 100644 (file)
--- a/ext/misc/zipfile.c
+++ b/ext/misc/zipfile.c
@@ -822,12 +822,15 @@ static int zipfileGetEntry(
   u8 *aRead;
   char **pzErr = &pTab->base.zErrMsg;
   int rc = SQLITE_OK;
-  (void)nBlob;
 
   if( aBlob==0 ){
     aRead = pTab->aBuffer;
     rc = zipfileReadData(pFile, aRead, ZIPFILE_CDS_FIXED_SZ, iOff, pzErr);
   }else{
+    if( (iOff+ZIPFILE_CDS_FIXED_SZ)>nBlob ){
+      /* Not enough data for the CDS structure. Corruption. */
+      return SQLITE_CORRUPT;
+    }
     aRead = (u8*)&aBlob[iOff];
   }
 

diff --git a/manifest b/manifest
index 1d754caf1a74b4368a615ffe958a01c79283524e..3341715c41a538b9d44f94614dfad7eec533f676 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Improve\swhereSolver()\sso\sthat\sit\salways\sfinds\sa\sunique\ssolution.
-D 2025-09-29T18:17:19.545
+C Fix\sa\sbuffer\soverread\sin\sthe\szipfile\sextension\scode.
+D 2025-09-29T18:55:05.384
 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
@@ -416,7 +416,7 @@ F ext/misc/vtablog.c 9f7e02e9e8de585f3bfb48405db36c2eb4b680a23a67d7a4b738dd20f6a
 F ext/misc/vtshim.c e5bce24ab8c532f4fdc600148718fe1802cb6ed57417f1c1032d8961f72b0e8f
 F ext/misc/wholenumber.c 0fa0c082676b7868bf2fa918e911133f2b349bcdceabd1198bba5f65b4fc0668
 F ext/misc/windirent.h 02211ce51f3034c675f2dbf4d228194d51b3ee05734678bad5106fff6292e60c
-F ext/misc/zipfile.c 360cc8e0b13398a27abae2baa5d136462718994053ef918e86f4e2dd238657c7
+F ext/misc/zipfile.c 67bd456f614b290371ecd1c2bdae858166983ffb16237299953cc2caae6d1aad
 F ext/misc/zorder.c bddff2e1b9661a90c95c2a9a9c7ecd8908afab5763256294dd12d609d4664eee
 F ext/rbu/rbu.c 801450b24eaf14440d8fd20385aacc751d5c9d6123398df41b1b5aa804bf4ce8
 F ext/rbu/rbu1.test 25870dd7db7eb5597e2b4d6e29e7a7e095abf332660f67d89959552ce8f8f255
@@ -2076,7 +2076,7 @@ F test/writecrash.test 13520af28f376bfc8c0bcd130efc1fff20bb165198e8b94cf153f1f75
 F test/zeroblob.test 7b74cefc7b281dfa2b07cd237987fbe94b4a2037a7771e9e83f2d5f608b1d99e
 F test/zeroblobfault.test 861d8191a0d944dfebb3cb4d2c5b4e46a5a119eaec5a63dd996c2389f8063441
 F test/zerodamage.test 9c41628db7e8d9e8a0181e59ea5f189df311a9f6ce99cc376dc461f66db6f8dc
-F test/zipfile.test c8a7736312c8eb32ee2808121ca22d885a8724d8df4a23d312ddefddadc7f322
+F test/zipfile.test 61ec316df6149b515dbfd570e7cd4a4a18dae037b2a5cdd5769b6f44f6132acf
 F test/zipfile2.test 6df5f5ef9d247756f7200066f43e7f3f52cffff47f0c02cbefe4ce9c3284cb10
 F test/zipfilefault.test 44d4d7a7f7cca7521d569d7f71026b241d65a6b1757aa409c1a168827edbbc2c
 F tool/GetFile.cs 47852aa0d806fe47ed1ac5138bdce7f000fe87aaa7f28107d0cb1e26682aeb44
@@ -2169,8 +2169,8 @@ F tool/version-info.c 3b36468a90faf1bbd59c65fd0eb66522d9f941eedd364fabccd7227350
 F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee87c1b31a7
 F tool/warnings.sh 1ad0169b022b280bcaaf94a7fa231591be96b514230ab5c98fbf15cd7df842dd
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
-P 0ad5d77fc0a9d205cc061ee4923d885f6f28f77c1efef3cc10297036ce164e6d
-R 9d0688a1783d31445cb1e5a298e6561f
-U drh
-Z 7fcc32fcbbfc1112a0376663c5e3564b
+P ae303dab2f534e2c5132112b61fa5a097e7010fd8b652badee669fbe9df5cf53
+R 3e1c617d71503e0e1b101bd0d30072ee
+U dan
+Z cefe1c02eda63fc79f0227d3b0e9e5fc
 # Remove this line to create a well-formed Fossil manifest.

diff --git a/manifest.uuid b/manifest.uuid
index e8524ca4f01ac0bc75dec069958fa1b6eb26e3fa..cd2cbfd1a71ca4672defb83e21f11b9c39acee42 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-ae303dab2f534e2c5132112b61fa5a097e7010fd8b652badee669fbe9df5cf53
+70c2c99b6f12a3467c23b44adcaf2d7d780ba8317b72de2f6730b1d892cf0c85

diff --git a/test/zipfile.test b/test/zipfile.test
index 016a20b4244ecab39c1ed9492850f542e88c1b27..86e4549d762347ce9e921dfbe7a75874de14b893 100644 (file)
--- a/test/zipfile.test
+++ b/test/zipfile.test
@@ -887,4 +887,8 @@ do_test 19.1 {
 } {}
 forcedelete zipfile19.zip
 
+do_catchsql_test 20.0 {
+  SELECT * FROM zipfile(X'504b050600000000010001004000000000a3e1110000');
+} {1 {database disk image is malformed}}
+
 finish_test