aboutsummaryrefslogtreecommitdiff
Extracted from a patch in Fedora.

http://pkgs.fedoraproject.org/cgit/unzip.git/tree/unzip-6.0-heap-overflow-infloop.patch?id=d18f821e

From bd150334fb4084f5555a6be26b015a0671cb5b74 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Tue, 22 Sep 2015 18:52:23 +0200
Subject: [PATCH 3/3] extract: prevent unsigned overflow on invalid input

Suggested-by: Stefan Cornelius
---
 extract.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/extract.c b/extract.c
index 29db027..b9ae667 100644
--- a/extract.c
+++ b/extract.c
@@ -1257,8 +1257,17 @@ static int extract_or_test_entrylist(__G__ numchunk,
         if (G.lrec.compression_method == STORED) {
             zusz_t csiz_decrypted = G.lrec.csize;
 
-            if (G.pInfo->encrypted)
+            if (G.pInfo->encrypted) {
+                if (csiz_decrypted <= 12) {
+                    /* handle the error now to prevent unsigned overflow */
+                    Info(slide, 0x401, ((char *)slide,
+                      LoadFarStringSmall(ErrUnzipNoFile),
+                      LoadFarString(InvalidComprData),
+                      LoadFarStringSmall2(Inflate)));
+                    return PK_ERR;
+                }
                 csiz_decrypted -= 12;
+            }
             if (G.lrec.ucsize != csiz_decrypted) {
                 Info(slide, 0x401, ((char *)slide,
                   LoadFarStringSmall2(WrnStorUCSizCSizDiff),
-- 
2.5.2
generated by cgit
ignore hidden packages. This patch permits the previous use by adding an option to rewrite hidden packages. * guix/packages.scm (package-input-rewriting/spec)[rewrite]: When P is hidden, return it as-is unless #:replace-hidden? has been enabled. * tests/packages.scm ("package-input-rewriting/spec, replace hidden package"): New test. * doc/guix.texi (Defining Package Variants): Update. Change-Id: I0a7988cac70e0c6b88b0fe6e27c1036fa723e030 Signed-off-by: Ludovic Courtès <ludo@gnu.org> Greg Hogan 2023-09-15tests: Fix "package-transitive-supported-systems, implicit inputs"....This is a follow-up to commit 0e08ad7f19d5b29a4883468552b5d213a7bdb66e gnu: linux-libre-headers: Remove i586-gnu from supported-systems. See also <https://issues.guix.gnu.org/65755>. * tests/packages.scm ("package-transitive-supported-systems, implicit inputs"): Filter expectiation with target-linux?, as %current-system is linux. Co-authored-by: Ludovic Courtès <ludo@gnu.org> Janneke Nieuwenhuizen 2023-08-18tests: packages: Set system for expected result of package->bag....* tests/packages.scm ("package->bag"): Parameterize the expected result by the system used to lower the package to a bag. Signed-off-by: Ludovic Courtès <ludo@gnu.org> Josselin Poiret 2023-06-14packages: 'package-transitive-supported-systems' detects cycles....With this change, commands such as 'guix build' or 'guix package' report obvious package-level cycles upfront. Derivation-level cycles are not detected. * guix/packages.scm (&package-cyclic-dependency-error): New condition type. (package-transitive-supported-systems): Define 'visited', check it, and parameterize it. * guix/ui.scm (call-with-error-handling): Handle '&package-cyclic-dependency-error'. * tests/packages.scm ("package-transitive-supported-systems detects cycles"): Add test. Ludovic Courtès 2023-04-19tests: Re-add debug output to a package tests....* tests/packages.scm ("fold-available-packages with/without cache"): Re-introduce debugging output. Maxim Cournoyer 2023-03-13packages: 'package-input-rewriting/spec' ignores hidden packages....The primary motivation is to support things like: guix build guix --with-input=guile=guile-next without triggering a rebuild of (@@ (gnu packages commencement) guile-final) and similar things. It is also consistent with package name resolution on the command line: a package that cannot be named cannot be replaced. * guix/packages.scm (package-input-rewriting/spec)[rewrite]: When P is hidden, return it as-is. * tests/packages.scm ("package-input-rewriting/spec, hidden package"): New test. * doc/guix.texi (Defining Package Variants): Update. (Package Transformation Options): Update '--with-input' example. Ludovic Courtès 2023-03-13packages: Consider 'patches' by 'package-direct-sources'....* guix/packages.scm (package-direct-sources): Return 'origin' from 'patches'. * tests/packages.scm: Test it. Signed-off-by: Ludovic Courtès <ludo@gnu.org> Simon Tournier 2022-12-13packages: Add 'package-upstream-name*'....* guix/packages.scm (package-upstream-name*): New procedure. * tests/packages.scm ("package-upstream-name*"): New test. Signed-off-by: Ludovic Courtès <ludo@gnu.org> Lars-Dominik Braun 2022-11-11grafts: Run with a UTF-8 locale....Fixes <https://issues.guix.gnu.org/55968>. Reported by Maxime Devos <maximedevos@telenet.be>. * guix/grafts.scm (%graft-with-utf8-locale?): New parameter. (graft-derivation/shallow)[glibc-locales, set-utf8-locale]: New variables. [build]: Use 'set-utf8-locale'. * tests/gexp.scm, tests/grafts.scm, tests/packages.scm: Set '%graft-with-utf8-locale?' to #f. Ludovic Courtès 2022-10-22Remove now unnecessary uses of (guix grafts)....These modules would use (guix grafts) just to access '%graft?' and related bindings, which are now in (guix store). * gnu/ci.scm, guix/gexp.scm, guix/lint.scm, guix/scripts.scm, guix/scripts/archive.scm, guix/scripts/build.scm, guix/scripts/challenge.scm, guix/scripts/deploy.scm, guix/scripts/environment.scm, guix/scripts/home.scm, guix/scripts/pack.scm, guix/scripts/package.scm, guix/scripts/pull.scm, guix/scripts/size.scm, guix/scripts/system.scm, guix/scripts/weather.scm, tests/builders.scm, tests/channels.scm, tests/cpan.scm, tests/derivations.scm, tests/gexp.scm, tests/graph.scm, tests/guix-daemon.sh, tests/monads.scm, tests/pack.scm, tests/packages.scm, tests/profiles.scm, tests/system.scm: Remove #:use-module (guix grafts). Ludovic Courtès 2022-10-10packages: Raise an exception for invalid 'license' values....This is written in such a way that the type check turns into a no-op at macro-expansion time for trivial cases: > ,optimize (validate-license gpl3+) $18 = gpl3+ > ,optimize (validate-license (list gpl3+ gpl2+)) $19 = (list gpl3+ gpl2+) * guix/packages.scm (valid-license-value?, validate-license): New macros. (<package>)[license]: Add 'sanitize' option. (&package-license-error): New error condition type. * tests/packages.scm ("license type checking"): New test. Ludovic Courtès