ZIP reader: fix possible out-of-bounds read in zipx_lzma_alone_init()

author Tim Kientzle <kientzle@acm.org>

Thu, 24 Mar 2022 09:35:00 +0000 (10:35 +0100)

committer Martin Matuska <martin@matuska.org>

Thu, 24 Mar 2022 09:37:37 +0000 (10:37 +0100)
author Tim Kientzle <kientzle@acm.org>
Thu, 24 Mar 2022 09:35:00 +0000 (10:35 +0100)
committer Martin Matuska <martin@matuska.org>
Thu, 24 Mar 2022 09:37:37 +0000 (10:37 +0100)
diff --git a/libarchive/archive_read_support_format_zip.c b/libarchive/archive_read_support_format_zip.c

index 38ada70b5577284f5da6b28e6f722adea713b533..9d6c900b2c6e3da24b47cc75fc7c86a747e4d30a 100644 (file)
--- a/libarchive/archive_read_support_format_zip.c
+++ b/libarchive/archive_read_support_format_zip.c
@@ -1667,7 +1667,7 @@ zipx_lzma_alone_init(struct archive_read *a, struct zip *zip)
          */
  
         /* Read magic1,magic2,lzma_params from the ZIPX stream. */
-       if((p = __archive_read_ahead(a, 9, NULL)) == NULL) {
+       if(zip->entry_bytes_remaining < 9 || (p = __archive_read_ahead(a, 9, NULL)) == NULL) {
                 archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
                     "Truncated lzma data");
                 return (ARCHIVE_FATAL);
author	Tim Kientzle <kientzle@acm.org>
	Thu, 24 Mar 2022 09:35:00 +0000 (10:35 +0100)
committer	Martin Matuska <martin@matuska.org>
	Thu, 24 Mar 2022 09:37:37 +0000 (10:37 +0100)