diff options
Diffstat (limited to 'meta-oe/recipes-extended/p7zip/files/CVE-2017-17969.patch')
-rw-r--r-- | meta-oe/recipes-extended/p7zip/files/CVE-2017-17969.patch | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/meta-oe/recipes-extended/p7zip/files/CVE-2017-17969.patch b/meta-oe/recipes-extended/p7zip/files/CVE-2017-17969.patch new file mode 100644 index 000000000..177d1455f --- /dev/null +++ b/meta-oe/recipes-extended/p7zip/files/CVE-2017-17969.patch | |||
@@ -0,0 +1,31 @@ | |||
1 | p7zip: Fix CVE-2017-17969 | ||
2 | |||
3 | [No upstream tracking] -- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888297 | ||
4 | |||
5 | Heap-based buffer overflow in 7zip | ||
6 | |||
7 | Compress/ShrinkDecoder.cpp: Heap-based buffer overflow | ||
8 | in the NCompress::NShrink::CDecoder::CodeReal method | ||
9 | in 7-Zip before 18.00 and p7zip allows remote attackers | ||
10 | to cause a denial of service (out-of-bounds write) | ||
11 | or potentially execute arbitrary code via a crafted ZIP archive. | ||
12 | |||
13 | Upstream-Status: Backport [https://sourceforge.net/p/p7zip/bugs/_discuss/thread/0920f369/8316/attachment/CVE-2017-17969.patch] | ||
14 | CVE: CVE-2017-17969 | ||
15 | Signed-off-by: Radovan Scasny <radovan.scasny@siemens.com> | ||
16 | |||
17 | --- a/CPP/7zip/Compress/ShrinkDecoder.cpp | ||
18 | +++ b/CPP/7zip/Compress/ShrinkDecoder.cpp | ||
19 | @@ -121,7 +121,12 @@ HRESULT CDecoder::CodeReal(ISequentialInStream *inStream, ISequentialOutStream * | ||
20 | { | ||
21 | _stack[i++] = _suffixes[cur]; | ||
22 | cur = _parents[cur]; | ||
23 | + if (cur >= kNumItems || i >= kNumItems) | ||
24 | + break; | ||
25 | } | ||
26 | + | ||
27 | + if (cur >= kNumItems || i >= kNumItems) | ||
28 | + break; | ||
29 | |||
30 | _stack[i++] = (Byte)cur; | ||
31 | lastChar2 = (Byte)cur; | ||