On Sun, Jan 12, 2025 at 10:11:47PM +0900, SASANO Takayoshi wrote:
> Hi,
>
> I could not extract GenEi-Latin font (TTF archive) at
> https://okoneya.jp/font/GenEiLatin-Separate_v2.1.zip with unzip-6.0p17,
> and I found "unzip: backwards memcpy" in /var/log messages.
>
> Remedy is simple, add -DNOMEMCPY.
It's the memcpy in inflate.c. The (unsigned) cast is wrong. If d is
larger than w, unsigned overflow will make the result of (unsigned)w - d
larger than UINT_MAX - d, which will almost certainly be larger than e.
However, we can't just do memmove() unconditionally, because the
fallback in case that w - d < e isn't actually memmove() or memcpy()...
Yuck.
I think this patch is safer than adding -DNOMEMCPY to the CFLAGS since
it will keep using the same tested codepaths as before except that it
no longer crashes on your example file (the resulting extracted files
are the same).
The check in explode.c seems correct since it doesn't have this cast.
Index: Makefile
===================================================================
RCS file: /cvs/ports/archivers/unzip/Makefile,v
diff -u -p -r1.71 Makefile
--- Makefile 7 Nov 2023 14:19:18 -0000 1.71
+++ Makefile 12 Jan 2025 15:14:43 -0000
@@ -5,7 +5,7 @@ COMMENT = extract, list & test files in
VERSION = 6.0
DISTNAME = unzip${VERSION:S/.//}
PKGNAME = unzip-${VERSION}
-REVISION = 17
+REVISION = 18
CATEGORIES = archivers
SITES = ${SITE_SOURCEFORGE:=infozip/} \
ftp://ftp.info-zip.org/pub/infozip/src/
Index: patches/patch-inflate_c
===================================================================
RCS file: patches/patch-inflate_c
diff -N patches/patch-inflate_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-inflate_c 12 Jan 2025 15:35:45 -0000
@@ -0,0 +1,14 @@
+Avoid backward memcpy
+
+Index: inflate.c
+--- inflate.c.orig
++++ inflate.c
+@@ -1018,7 +1018,7 @@ unsigned bl, bd; /* number of bits decoded by t
+ if ((unsigned)w - d >= e)
+ /* (this test assumes unsigned comparison) */
+ {
+- memcpy(redirSlide + (unsigned)w, redirSlide + d, e);
++ memmove(redirSlide + (unsigned)w, redirSlide + d, e);
+ w += e;
+ d += e;
+ }
Index: patches/patch-unix_zipgrep
===================================================================
RCS file: /cvs/ports/archivers/unzip/patches/patch-unix_zipgrep,v
diff -u -p -r1.1 patch-unix_zipgrep
--- patches/patch-unix_zipgrep 14 Apr 2022 21:23:24 -0000 1.1
+++ patches/patch-unix_zipgrep 12 Jan 2025 15:12:44 -0000
@@ -1,10 +1,9 @@
-Index: unix/zipgrep
-
CVE-2022-1271
Prevent arbitrary-file-write vulnerability if an archive member
name contains shell wild cards that expand to an existing pathname
with an exploit pattern.
+Index: unix/zipgrep
--- unix/zipgrep.orig
+++ unix/zipgrep
@@ -70,7 +70,7 @@ for i in `unzip -Z1 "$zipfile" ${1+"$@"} | sed -e 's/\
