Attachment #172520 for bug #211114

Lines 3-8 Link Here

(-)Makefile (+1 lines)
3		3
4	PORTNAME= p7zip	4	PORTNAME= p7zip
5	PORTVERSION= 15.14	5	PORTVERSION= 15.14
		6	PORTREVISION= 1
6	CATEGORIES= archivers	7	CATEGORIES= archivers
7	MASTER_SITES= SF	8	MASTER_SITES= SF
8	DISTNAME= ${PORTNAME}_${DISTVERSION}_src_all	9	DISTNAME= ${PORTNAME}_${DISTVERSION}_src_all




CVE-2016-2334

--- CPP/7zip/Archive/HfsHandler.cpp.orig	Fri Jun 19 06:52:08 2015
+++ CPP/7zip/Archive/HfsHandler.cpp	Mon May 23 20:37:42 2016
@@ -987,7 +987,9 @@ HRESULT CDatabase::LoadCatalog(const CFork &fork, cons
       item.GroupID = Get32(r + 0x24);
       item.AdminFlags = r[0x28];
       item.OwnerFlags = r[0x29];
+      */
       item.FileMode = Get16(r + 0x2A);
+      /*
       item.special.iNodeNum = Get16(r + 0x2C); // or .linkCount
       item.FileType = Get32(r + 0x30);
       item.FileCreator = Get32(r + 0x34);
@@ -1571,6 +1573,9 @@ HRESULT CHandler::ExtractZlibFile(
       blockSize = (UInt32)rem;
 
     UInt32 size = GetUi32(tableBuf + i * 8 + 4);
+
+    if (size > buf.Size() || size > kCompressionBlockSize + 1)
+        return S_FALSE;
 
     RINOK(ReadStream_FALSE(inStream, buf, size));
 




CVE-2016-2335

--- CPP/7zip/Archive/Udf/UdfIn.cpp.orig	Fri Nov 20 15:40:08 2015
+++ CPP/7zip/Archive/Udf/UdfIn.cpp	Mon May 23 20:37:46 2016
@@ -389,7 +389,11 @@ HRESULT CInArchive::ReadFileItem(int volIndex, int fsI
     return S_FALSE;
   CFile &file = Files.Back();
   const CLogVol &vol = LogVols[volIndex];
-  CPartition &partition = Partitions[vol.PartitionMaps[lad.Location.PartitionRef].PartitionIndex];
+  unsigned partitionRef = lad.Location.PartitionRef;
+
+  if (partitionRef >= vol.PartitionMaps.Size())
+  	return S_FALSE;
+  CPartition &partition = Partitions[vol.PartitionMaps[partitionRef].PartitionIndex];
 
   UInt32 key = lad.Location.Pos;
   UInt32 value;

Return to bug 211114

Line 0 Link Here

(-)files/patch-CPP_7zip_Archive_HfsHandler.cpp (+24 lines)
	1	CVE-2016-2334
	2
	3	--- CPP/7zip/Archive/HfsHandler.cpp.orig Fri Jun 19 06:52:08 2015
	4	+++ CPP/7zip/Archive/HfsHandler.cpp Mon May 23 20:37:42 2016
	5	@@ -987,7 +987,9 @@ HRESULT CDatabase::LoadCatalog(const CFork &fork, cons
	6	item.GroupID = Get32(r + 0x24);
	7	item.AdminFlags = r[0x28];
	8	item.OwnerFlags = r[0x29];
	9	+ */
	10	item.FileMode = Get16(r + 0x2A);
	11	+ /*
	12	item.special.iNodeNum = Get16(r + 0x2C); // or .linkCount
	13	item.FileType = Get32(r + 0x30);
	14	item.FileCreator = Get32(r + 0x34);
	15	@@ -1571,6 +1573,9 @@ HRESULT CHandler::ExtractZlibFile(
	16	blockSize = (UInt32)rem;
	17
	18	UInt32 size = GetUi32(tableBuf + i * 8 + 4);
	19	+
	20	+ if (size > buf.Size() \|\| size > kCompressionBlockSize + 1)
	21	+ return S_FALSE;
	22
	23	RINOK(ReadStream_FALSE(inStream, buf, size));
	24

Line 0 Link Here

(-)files/patch-CPP_7zip_Archive_Udf_UdfIn.cpp (+17 lines)
	1	CVE-2016-2335
	2
	3	--- CPP/7zip/Archive/Udf/UdfIn.cpp.orig Fri Nov 20 15:40:08 2015
	4	+++ CPP/7zip/Archive/Udf/UdfIn.cpp Mon May 23 20:37:46 2016
	5	@@ -389,7 +389,11 @@ HRESULT CInArchive::ReadFileItem(int volIndex, int fsI
	6	return S_FALSE;
	7	CFile &file = Files.Back();
	8	const CLogVol &vol = LogVols[volIndex];
	9	- CPartition &partition = Partitions[vol.PartitionMaps[lad.Location.PartitionRef].PartitionIndex];
	10	+ unsigned partitionRef = lad.Location.PartitionRef;
	11	+
	12	+ if (partitionRef >= vol.PartitionMaps.Size())
	13	+ return S_FALSE;
	14	+ CPartition &partition = Partitions[vol.PartitionMaps[partitionRef].PartitionIndex];
	15
	16	UInt32 key = lad.Location.Pos;
	17	UInt32 value;