From: Tim Kientzle <kientzle@acm.org>
Date: Sat, 16 May 2015 20:28:10 +0000 (-0700)
Subject: Issue #523: Fail if entry is too small for encryption header.
X-Git-Tag: v3.1.900a~100
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eff35d4a23418b5da3c7dfff333941a880b4d936;p=thirdparty%2Flibarchive.git

Issue #523: Fail if entry is too small for encryption header.
---

diff --git a/libarchive/archive_read_support_format_zip.c b/libarchive/archive_read_support_format_zip.c
index db8e11410..c0b47c860 100644
--- a/libarchive/archive_read_support_format_zip.c
+++ b/libarchive/archive_read_support_format_zip.c
@@ -1613,6 +1613,14 @@ init_traditional_PKWARE_decryption(struct archive_read *a)
 	   the start of the data area.
 	 */
 #define ENC_HEADER_SIZE	12
+	if (0 == (zip->entry->zip_flags & ZIP_LENGTH_AT_END)
+	    && zip->entry_bytes_remaining < ENC_HEADER_SIZE) {
+		archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+		    "Truncated Zip encrypted body: only %jd bytes available",
+		    (intmax_t)zip->entry_bytes_remaining);
+		return (ARCHIVE_FATAL);
+	}
+
 	p = __archive_read_ahead(a, ENC_HEADER_SIZE, NULL);
 	if (p == NULL) {
 		archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
@@ -1650,7 +1658,9 @@ init_traditional_PKWARE_decryption(struct archive_read *a)
 
 	__archive_read_consume(a, ENC_HEADER_SIZE);
 	zip->tctx_valid = 1;
-	zip->entry_bytes_remaining -= ENC_HEADER_SIZE;
+	if (0 == (zip->entry->zip_flags & ZIP_LENGTH_AT_END)) {
+	    zip->entry_bytes_remaining -= ENC_HEADER_SIZE;
+	}
 	/*zip->entry_uncompressed_bytes_read += ENC_HEADER_SIZE;*/
 	zip->entry_compressed_bytes_read += ENC_HEADER_SIZE;
 	zip->decrypted_bytes_remaining = 0;