[Libreoffice-commits] core.git: package/qa package/source

Thu, 09 Mar 2023 02:19:06 -0800 

 package/qa/cppunit/data/pass/ofz56826-1.zip |binary
 package/source/zipapi/MemoryByteGrabber.hxx |   10 ++++++++++
 package/source/zipapi/ZipFile.cxx           |    4 ++--
 3 files changed, 12 insertions(+), 2 deletions(-)

New commits:
commit 59b0f676758dd752457c84fb4159f6446d74e8a4
Author:     Caolán McNamara <caol...@redhat.com>
AuthorDate: Thu Mar 9 09:25:32 2023 +0000
Commit:     Caolán McNamara <caol...@redhat.com>
CommitDate: Thu Mar 9 10:18:42 2023 +0000

    ofz#56826 Heap-use-after-free
    
    since:
    
    commit abda72eeac19b18c22f57d5443c3955a463605d7
    Date:   Mon Feb 20 00:32:22 2023 +0100
    
        tdf#82984 tdf#94915 zip64 support (import + export)
    
    Change-Id: Iffc1c54b3ccc5464e217d7f94ecc34b57ec1afb1
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/148526
    Tested-by: Jenkins
    Reviewed-by: Caolán McNamara <caol...@redhat.com>

diff --git a/package/qa/cppunit/data/pass/ofz56826-1.zip 
b/package/qa/cppunit/data/pass/ofz56826-1.zip
new file mode 100644
index 000000000000..b9acfe34da14
Binary files /dev/null and b/package/qa/cppunit/data/pass/ofz56826-1.zip differ
diff --git a/package/source/zipapi/MemoryByteGrabber.hxx 
b/package/source/zipapi/MemoryByteGrabber.hxx
index a4d9f0b1ba49..de59756d2187 100644
--- a/package/source/zipapi/MemoryByteGrabber.hxx
+++ b/package/source/zipapi/MemoryByteGrabber.hxx
@@ -58,6 +58,16 @@ public:
         nInt16 |= ( mpBuffer[mnCurrent++] & 0xFF ) << 8;
         return nInt16;
     }
+
+    sal_Int16 ReadUInt16()
+    {
+        if (mnCurrent + 2 > mnEnd )
+            return 0;
+        sal_uInt16 nInt16  =  mpBuffer[mnCurrent++] & 0xFF;
+        nInt16 |= ( mpBuffer[mnCurrent++] & 0xFF ) << 8;
+        return nInt16;
+    }
+
     sal_Int32 ReadInt32()
     {
         if (mnCurrent + 4 > mnEnd )
diff --git a/package/source/zipapi/ZipFile.cxx 
b/package/source/zipapi/ZipFile.cxx
index 41325f47e38f..78d746ac1b70 100644
--- a/package/source/zipapi/ZipFile.cxx
+++ b/package/source/zipapi/ZipFile.cxx
@@ -1002,12 +1002,12 @@ void ZipFile::readExtraFields(MemoryByteGrabber& 
aMemGrabber, sal_Int16 nExtraLe
     while (nExtraLen > 0) // Extensible data fields
     {
         sal_Int16 nheaderID = aMemGrabber.ReadInt16();
-        sal_Int16 dataSize = aMemGrabber.ReadInt16();
+        sal_uInt16 dataSize = aMemGrabber.ReadUInt16();
         if (nheaderID == 1) // Load Zip64 Extended Information Extra Field
         {
             // Datasize should be 28byte but some files have less (maybe non 
standard?)
             nSize = aMemGrabber.ReadUInt64();
-            sal_Int16 nReadSize = 8;
+            sal_uInt16 nReadSize = 8;
             if (dataSize >= 16)
             {
                 nCompressedSize = aMemGrabber.ReadUInt64();

Reply via email to