From: Martin Matuska <martin@matuska.org>
Date: Sat, 5 Feb 2022 20:02:13 +0000 (+0100)
Subject: zip: fix possible endless loop if reading a truncated zstd archive
X-Git-Tag: v3.6.0~15
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a1f65ab79ace5376293e3ee0ed0aab635c321181;p=thirdparty%2Flibarchive.git

zip: fix possible endless loop if reading a truncated zstd archive

The fix is analogous to the behavior in case of bzip2 compression.
---

diff --git a/libarchive/archive_read_support_format_zip.c b/libarchive/archive_read_support_format_zip.c
index 975681f81..38ada70b5 100644
--- a/libarchive/archive_read_support_format_zip.c
+++ b/libarchive/archive_read_support_format_zip.c
@@ -2325,6 +2325,15 @@ zip_read_data_zipx_zstd(struct archive_read *a, const void **buff,
 	}
 
 	in_bytes = zipmin(zip->entry_bytes_remaining, bytes_avail);
+	if(in_bytes < 1) {
+		/* zstd doesn't complain when caller feeds avail_in == 0.
+		 * It will actually return success in this case, which is
+		 * undesirable. This is why we need to make this check
+		 * manually. */
+		archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+		    "Truncated zstd file body");
+		return (ARCHIVE_FATAL);
+	}
 
 	/* Setup buffer boundaries */
 	in.src = compressed_buff;