On Tue, Jun 14, 2022 at 07:06:37PM +0200, Santiago Vila wrote: > But the github repository containing the test cases, namely this: > https://github.com/ByteHackr/unzip_poc > contains a test case for yet another problem called CVE-2022-0529 > which I would like to fix as well.
Hello Steven and Santiago, I'm attaching a proposed patch to fix CVE-2022-0529. Enrico -- GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini <[email protected]>
diff --git a/process.c b/process.c
index d2a846e..99b9c7b 100644
--- a/process.c
+++ b/process.c
@@ -2507,13 +2507,15 @@ char *wide_to_local_string(wide_string, escape_all)
char buf[9];
char *buffer = NULL;
char *local_string = NULL;
+ size_t buffer_size;
for (wsize = 0; wide_string[wsize]; wsize++) ;
if (max_bytes < MAX_ESCAPE_BYTES)
max_bytes = MAX_ESCAPE_BYTES;
- if ((buffer = (char *)malloc(wsize * max_bytes + 1)) == NULL) {
+ buffer_size = wsize * max_bytes + 1;
+ if ((buffer = (char *)malloc(buffer_size)) == NULL) {
return NULL;
}
@@ -2552,7 +2554,11 @@ char *wide_to_local_string(wide_string, escape_all)
/* no MB for this wide */
/* use escape for wide character */
char *escape_string = wide_to_escape_string(wide_string[i]);
- strcat(buffer, escape_string);
+ size_t buffer_len = strlen(buffer);
+ size_t escape_string_len = strlen(escape_string);
+ if (buffer_len + escape_string_len + 1 > buffer_size)
+ escape_string_len = buffer_size - buffer_len - 1;
+ strncat(buffer, escape_string, escape_string_len);
free(escape_string);
}
}
signature.asc
Description: PGP signature
