Skip to content

Fix #106 #108

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
abbeycode merged 3 commits into from
Mar 14, 2021
Merged

Fix #106 #108

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
86dd120
Fixed bug in -deleteFile:error: that causes a buffer overrun vulnerab…
abbeycode Mar 14, 2021
741b561
Renamed variable in -deleteFile:error: to make it clearer what it's for
abbeycode Mar 14, 2021
84728f3
Updated changelog
abbeycode Mar 14, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
* Deprecated the initializers that take a file path instead of an `NSURL` (Issue #90, PR #95)
* Fixed a crasher for unreadable files in `+pathIsAZip:` (Issue #99)
* Deprecated all overloads of `-writeData:...` and `-writeIntoBuffer:...` that take any file properties other than the path, replacing them each with a single call that takes an instance of the new `ZipFileProperties`. This allows for all the default values to be defined in one place, so you can specify only where you want to deviate from the defaults (Issue #89, PR #97)
* Fixed buffer overrun vulnerability when deleting a file in an archive where not every file has a file comment (Issue #106)

## 1.9

Expand Down
34 changes: 17 additions & 17 deletions Source/UZKArchive.m
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1460,9 +1460,9 @@ - (BOOL)deleteFile:(NSString *)filePath error:(NSError * __autoreleasing*)error
detail:detail];
}

UZKLogDebug("Allocating commentary");
char *commentary = (char*)malloc(unzipInfo.size_file_comment);
if ((commentary == NULL) && (unzipInfo.size_file_comment != 0)) {
UZKLogDebug("Allocating file comment buffer");
char *fileCommentBuffer = unzipInfo.size_file_comment > 0 ? (char*)malloc(unzipInfo.size_file_comment) : NULL;
if ((fileCommentBuffer == NULL) && (unzipInfo.size_file_comment != 0)) {
NSString *detail = [NSString localizedStringWithFormat:NSLocalizedStringFromTableInBundle(@"Error allocating commentary info of %@ while deleting %@", @"UnzipKit", _resources, @"Detailed error string"),
currentFileName, filePath];
UZKLogError("UZKErrorCodeDeleteFile: %{public}@", detail);
Expand All @@ -1476,14 +1476,14 @@ - (BOOL)deleteFile:(NSString *)filePath error:(NSError * __autoreleasing*)error
}

UZKLogDebug("Getting file info");
err = unzGetCurrentFileInfo64(source_zip, &unzipInfo, filename_inzip, FILE_IN_ZIP_MAX_NAME_LENGTH, extra_field, unzipInfo.size_file_extra, commentary, unzipInfo.size_file_comment);
err = unzGetCurrentFileInfo64(source_zip, &unzipInfo, filename_inzip, FILE_IN_ZIP_MAX_NAME_LENGTH, extra_field, unzipInfo.size_file_extra, fileCommentBuffer, unzipInfo.size_file_comment);
if (err != UNZ_OK) {
NSString *detail = [NSString localizedStringWithFormat:NSLocalizedStringFromTableInBundle(@"Error reading extra_field and commentary info of %@ while deleting %@ (%d)", @"UnzipKit", _resources, @"Detailed error string"),
currentFileName, filePath, err];
UZKLogError("UZKErrorCodeDeleteFile: %{public}@", detail);
UZKLogDebug("Closing source_zip, dest_zip, freeing global_comment, extra_field, commentary");
free(extra_field);
free(commentary);
free(fileCommentBuffer);
return [self assignError:error code:UZKErrorCodeDeleteFile
detail:detail];
}
Expand All @@ -1503,7 +1503,7 @@ - (BOOL)deleteFile:(NSString *)filePath error:(NSError * __autoreleasing*)error
unzClose(source_zip);
free(global_comment);
free(extra_field);
free(commentary);
free(fileCommentBuffer);
return [self assignError:error code:UZKErrorCodeDeleteFile
detail:detail];
}
Expand All @@ -1519,7 +1519,7 @@ - (BOOL)deleteFile:(NSString *)filePath error:(NSError * __autoreleasing*)error
unzClose(source_zip);
free(global_comment);
free(extra_field);
free(commentary);
free(fileCommentBuffer);
return [self assignError:error code:UZKErrorCodeDeleteFile
detail:detail];
}
Expand All @@ -1535,7 +1535,7 @@ - (BOOL)deleteFile:(NSString *)filePath error:(NSError * __autoreleasing*)error
unzClose(source_zip);
free(global_comment);
free(extra_field);
free(commentary);
free(fileCommentBuffer);
return [self assignError:error code:UZKErrorCodeDeleteFile
detail:detail];
}
Expand All @@ -1550,7 +1550,7 @@ - (BOOL)deleteFile:(NSString *)filePath error:(NSError * __autoreleasing*)error
unzClose(source_zip);
free(global_comment);
free(extra_field);
free(commentary);
free(fileCommentBuffer);
free(local_extra);
return [self assignError:error code:UZKErrorCodeDeleteFile
detail:detail];
Expand All @@ -1568,7 +1568,7 @@ - (BOOL)deleteFile:(NSString *)filePath error:(NSError * __autoreleasing*)error
unzClose(source_zip);
free(global_comment);
free(extra_field);
free(commentary);
free(fileCommentBuffer);
free(local_extra);
return [self assignError:error code:UZKErrorCodeDeleteFile
detail:detail];
Expand All @@ -1586,7 +1586,7 @@ - (BOOL)deleteFile:(NSString *)filePath error:(NSError * __autoreleasing*)error
unzClose(source_zip);
free(global_comment);
free(extra_field);
free(commentary);
free(fileCommentBuffer);
free(local_extra);
free(buf);
return [self assignError:error code:UZKErrorCodeDeleteFile
Expand All @@ -1604,7 +1604,7 @@ - (BOOL)deleteFile:(NSString *)filePath error:(NSError * __autoreleasing*)error

UZKLogDebug("Opening file in destination archive");
err = zipOpenNewFileInZip2(dest_zip, filename_inzip, &zipInfo,
local_extra, size_local_extra, extra_field, (uInt)unzipInfo.size_file_extra, commentary,
local_extra, size_local_extra, extra_field, (uInt)unzipInfo.size_file_extra, fileCommentBuffer,
method, level, 1);
if (err != UNZ_OK) {
NSString *detail = [NSString localizedStringWithFormat:NSLocalizedStringFromTableInBundle(@"Error opening %@ in destination zip while deleting %@ (%d)", @"UnzipKit", _resources, @"Detailed error string"),
Expand All @@ -1615,7 +1615,7 @@ - (BOOL)deleteFile:(NSString *)filePath error:(NSError * __autoreleasing*)error
unzClose(source_zip);
free(global_comment);
free(extra_field);
free(commentary);
free(fileCommentBuffer);
free(local_extra);
free(buf);
return [self assignError:error code:UZKErrorCodeDeleteFile
Expand All @@ -1634,7 +1634,7 @@ - (BOOL)deleteFile:(NSString *)filePath error:(NSError * __autoreleasing*)error
unzClose(source_zip);
free(global_comment);
free(extra_field);
free(commentary);
free(fileCommentBuffer);
free(local_extra);
free(buf);
return [self assignError:error code:UZKErrorCodeDeleteFile
Expand All @@ -1653,7 +1653,7 @@ - (BOOL)deleteFile:(NSString *)filePath error:(NSError * __autoreleasing*)error
unzClose(source_zip);
free(global_comment);
free(extra_field);
free(commentary);
free(fileCommentBuffer);
free(local_extra);
free(buf);
return [self assignError:error code:UZKErrorCodeDeleteFile
Expand All @@ -1672,7 +1672,7 @@ - (BOOL)deleteFile:(NSString *)filePath error:(NSError * __autoreleasing*)error
unzClose(source_zip);
free(global_comment);
free(extra_field);
free(commentary);
free(fileCommentBuffer);
free(local_extra);
free(buf);
return [self assignError:error code:UZKErrorCodeDeleteFile
Expand All @@ -1681,7 +1681,7 @@ - (BOOL)deleteFile:(NSString *)filePath error:(NSError * __autoreleasing*)error

UZKLogDebug("Freeing extra_field, commentary, local_extra, buf");
free(extra_field);
free(commentary);
free(fileCommentBuffer);
free(local_extra);
free(buf);

Expand Down