From cbc3cd47f03fe53811ac4150d6c938e987d5deb6 Mon Sep 17 00:00:00 2001
From: dan <Dan Kennedy>
Date: Thu, 2 Oct 2025 11:16:22 +0000
Subject: [PATCH] Fix a buffer overrun in the zipfile extension that could
 occur while processing zip archives with extremely long file-names and
 comment fields.

FossilOrigin-Name: c284fda848038a61972fd1df5796f608a24ead109170aafe562a5d5787c46488
---
 ext/misc/zipfile.c |  7 +++++-
 manifest           | 16 ++++++-------
 manifest.uuid      |  2 +-
 test/zipfile2.test | 59 ++++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 74 insertions(+), 10 deletions(-)

diff --git a/ext/misc/zipfile.c b/ext/misc/zipfile.c
index ee5bc3821f..58cfba658a 100644
--- a/ext/misc/zipfile.c
+++ b/ext/misc/zipfile.c
@@ -115,9 +115,14 @@ static const char ZIPFILE_SCHEMA[] =
   ") WITHOUT ROWID;";
 
 #define ZIPFILE_F_COLUMN_IDX 7    /* Index of column "file" in the above */
-#define ZIPFILE_BUFFER_SIZE (64*1024)
 #define ZIPFILE_MX_NAME (250)     /* Windows limitation on filename size */
 
+/*
+** The buffer should be large enough to contain 3 65536 byte strings - the
+** filename, the extra field and the file comment.
+*/
+#define ZIPFILE_BUFFER_SIZE (200*1024)
+
 
 /*
 ** Magic numbers used to read and write zip files.
diff --git a/manifest b/manifest
index 98120c507a..6163d5cd1c 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Add\sthe\s--ifexists\soption\sto\sthe\sCLI\sand\sto\sthe\s".open"\scommand\sof\sthe\sCLI.\nAlso\sthe\sundocumented\sand\sunsupported\s--exclusive\soption\son\sthe\ssame.
-D 2025-10-01T20:41:02.802
+C Fix\sa\sbuffer\soverrun\sin\sthe\szipfile\sextension\sthat\scould\soccur\swhile\sprocessing\szip\sarchives\swith\sextremely\slong\sfile-names\sand\scomment\sfields.
+D 2025-10-02T11:16:22.330
 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
@@ -416,7 +416,7 @@ F ext/misc/vtablog.c 9f7e02e9e8de585f3bfb48405db36c2eb4b680a23a67d7a4b738dd20f6a
 F ext/misc/vtshim.c e5bce24ab8c532f4fdc600148718fe1802cb6ed57417f1c1032d8961f72b0e8f
 F ext/misc/wholenumber.c 0fa0c082676b7868bf2fa918e911133f2b349bcdceabd1198bba5f65b4fc0668
 F ext/misc/windirent.h 02211ce51f3034c675f2dbf4d228194d51b3ee05734678bad5106fff6292e60c
-F ext/misc/zipfile.c e29a32f1697e3828b1ba596a8aac50b5a2703ea6d1d37ff734222858b34bf884
+F ext/misc/zipfile.c 09e6e3a3ff40a99677de3c0bc6569bd5f4709b1844ac3d1c1452a456c5a62f1c
 F ext/misc/zorder.c bddff2e1b9661a90c95c2a9a9c7ecd8908afab5763256294dd12d609d4664eee
 F ext/rbu/rbu.c 801450b24eaf14440d8fd20385aacc751d5c9d6123398df41b1b5aa804bf4ce8
 F ext/rbu/rbu1.test 25870dd7db7eb5597e2b4d6e29e7a7e095abf332660f67d89959552ce8f8f255
@@ -2077,7 +2077,7 @@ F test/zeroblob.test 7b74cefc7b281dfa2b07cd237987fbe94b4a2037a7771e9e83f2d5f608b
 F test/zeroblobfault.test 861d8191a0d944dfebb3cb4d2c5b4e46a5a119eaec5a63dd996c2389f8063441
 F test/zerodamage.test 9c41628db7e8d9e8a0181e59ea5f189df311a9f6ce99cc376dc461f66db6f8dc
 F test/zipfile.test 82d402903199d193073af2c3c56b3c6839d229160fdc9ba437fa959db8da3ecc
-F test/zipfile2.test 6df5f5ef9d247756f7200066f43e7f3f52cffff47f0c02cbefe4ce9c3284cb10
+F test/zipfile2.test a577e0775e32ef8972e7d5e9a45bc071a5ae061b5b965a08c9c4b709ad036a25
 F test/zipfilefault.test 44d4d7a7f7cca7521d569d7f71026b241d65a6b1757aa409c1a168827edbbc2c
 F tool/GetFile.cs 47852aa0d806fe47ed1ac5138bdce7f000fe87aaa7f28107d0cb1e26682aeb44
 F tool/GetTclKit.bat d84033c6a93dfe735d247f48ba00292a1cc284dcf69963e5e672444e04534bbf
@@ -2169,8 +2169,8 @@ F tool/version-info.c 3b36468a90faf1bbd59c65fd0eb66522d9f941eedd364fabccd7227350
 F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee87c1b31a7
 F tool/warnings.sh 1ad0169b022b280bcaaf94a7fa231591be96b514230ab5c98fbf15cd7df842dd
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
-P 26f6d41f9d3ab656129af333d54a8645c6890314919bcae90351ba0c2240ceef
-R 2138b2f147a275dd02f69cff7c85833e
-U drh
-Z 00cc7d6c4887dcdef642741988cdb5f0
+P 9a1947814d235d270dec265bb85db37e75cc077289e444d3d00f8345016c683e
+R 8d69260c6c56213edee4be9463d1b622
+U dan
+Z d0e06edd9c2466b65d6e1aea2fe7033c
 # Remove this line to create a well-formed Fossil manifest.
diff --git a/manifest.uuid b/manifest.uuid
index 451ac7bfdc..998942330b 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-9a1947814d235d270dec265bb85db37e75cc077289e444d3d00f8345016c683e
+c284fda848038a61972fd1df5796f608a24ead109170aafe562a5d5787c46488
diff --git a/test/zipfile2.test b/test/zipfile2.test
index 5277cd58f8..8ee90d310b 100644
--- a/test/zipfile2.test
+++ b/test/zipfile2.test
@@ -243,4 +243,63 @@ do_execsql_test 6.3 {
   SELECT name FROM zip;
 } {test2}
 
+#-------------------------------------------------------------------------
+# Test a crafted corrupt file.
+#
+proc make_corrupt_file {fname} {
+  set central_dir_offset 1000
+  set lfh_offset 200
+  set nFile 60000
+  set nExtra 60000
+  set nComment 0
+  
+  # Build local file header at lfh_offset
+  set lfh ""
+  append lfh [binary format isssssiiiss 0x04034b50 20 0 0 0 0 0 0 0 1 0]
+  append lfh "A"
+  
+  # Build central directory structure (CDS) at central_dir_offset
+  set cds ""
+  append cds [binary format issssssiiisssssii 0x02014b50 0 20 0 0 0 0 0 0 0 $nFile $nExtra $nComment 0 0 0 $lfh_offset]
+  
+  # Payload following CDS: filename + extra + comment
+  set payload ""
+  append payload [string repeat "B" $nFile]
+  append payload [string repeat "C" $nExtra]
+  
+  # EOCD at end
+  set cdsize [expr {[string length $cds] + [string length $payload]}]
+  set eocd ""
+  append eocd [binary format issssiis 0x06054b50 0 0 1 1 $cdsize $central_dir_offset 0]
+  
+  # Assemble file
+  set buf [string repeat "X" $lfh_offset]
+  append buf $lfh
+  
+  set buflen [string length $buf]
+  if {$central_dir_offset > $buflen} {
+      append buf [string repeat "\x00" [expr {$central_dir_offset - $buflen}]]
+  }
+  
+  append buf $cds
+  append buf $payload
+  append buf $eocd
+  
+  # Write to file
+  set f [open $fname wb]
+  fconfigure $f -translation binary
+  puts -nonewline $f $buf
+  close $f
+}
+
+forcedelete test.zip
+make_corrupt_file test.zip
+do_execsql_test 7.0 {
+  DROP TABLE IF EXISTS t1;
+  CREATE VIRTUAL TABLE t1 USING zipfile('test.zip');
+}
+do_execsql_test 7.1 {
+  SELECT length(name) FROM t1;
+} {60000}
+
 finish_test
-- 
2.47.3