Merge branch 'vu862384'
Fixes Issue 656
Fixes CVE-2016-1541
Fixes VU#862384
Fixes TALOS-CAN-155
diff --git a/libarchive/archive_read_support_format_zip.c b/libarchive/archive_read_support_format_zip.c
index 0f8262c..0a0be96 100644
--- a/libarchive/archive_read_support_format_zip.c
+++ b/libarchive/archive_read_support_format_zip.c
@@ -2778,6 +2778,11 @@
switch(rsrc->compression) {
case 0: /* No compression. */
+ if (rsrc->uncompressed_size != rsrc->compressed_size) {
+ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+ "Malformed OS X metadata entry: inconsistent size");
+ return (ARCHIVE_FATAL);
+ }
#ifdef HAVE_ZLIB_H
case 8: /* Deflate compression. */
#endif
@@ -2798,6 +2803,12 @@
(intmax_t)rsrc->uncompressed_size);
return (ARCHIVE_WARN);
}
+ if (rsrc->compressed_size > (4 * 1024 * 1024)) {
+ archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+ "Mac metadata is too large: %jd > 4M bytes",
+ (intmax_t)rsrc->compressed_size);
+ return (ARCHIVE_WARN);
+ }
metadata = malloc((size_t)rsrc->uncompressed_size);
if (metadata == NULL) {
@@ -2836,6 +2847,8 @@
bytes_avail = remaining_bytes;
switch(rsrc->compression) {
case 0: /* No compression. */
+ if ((size_t)bytes_avail > metadata_bytes)
+ bytes_avail = metadata_bytes;
memcpy(mp, p, bytes_avail);
bytes_used = (size_t)bytes_avail;
metadata_bytes -= bytes_used;