Menu

#57 buffer overflow in zipRemoveExtraInfoBlock

v1.0 (example)
open
nobody
None
5
2019-04-18
2019-04-18
Felix von Leitner
No

1962 pNewHeader = (char)ALLOC(dataLen);
1963 pTmp = pNewHeader;
1964
1965 while(p < (pData + dataLen))
1966 {
1967 header = (short)p;
1968 dataSize = (((short*)p)+1);

At this point the code assumes that dataSize < *dataLen. An attacker could be handing you an malicious ZIP file with corrupt data however.

1977 memcpy(pTmp, p, dataSize + 4);

In which case this is a heap buffer overflow.

Discussion

  • Felix von Leitner

    Felix von Leitner - 2019-04-18

    oops sorry I filed against the wrong project. This is in zlib not info-zip.

     

  • Ed Gordon

    Ed Gordon - 2019-04-18

    No problem.

     

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.