summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChristophe Grenier <grenier@cgsecurity.org>2018-02-15 13:47:41 +0100
committerChristophe Grenier <grenier@cgsecurity.org>2018-02-15 13:47:41 +0100
commit416ec9551ae4071296ec1247ab5744cbf8de9129 (patch)
tree703509ef68c088a802bfd3444b8b69393f3726e9
parent9a0548a2fa68bebf21d8ec766ec708f7b3c076c6 (diff)
PhotoRec: avoid endless loop when parsing corrupted zip files. Bug detected via afl-fuzz
-rw-r--r--src/file_zip.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/src/file_zip.c b/src/file_zip.c
index 73ea3da..68f2431 100644
--- a/src/file_zip.c
+++ b/src/file_zip.c
@@ -336,6 +336,9 @@ static int zip_parse_file_entry(file_recovery_t *fr, const char **ext, const uns
if(len==0xffffffff && le16(extra.tag)==1)
{
len = le64(extra.compressed_size);
+ /* Avoid endless loop */
+ if( fr->file_size + len < fr->file_size)
+ return -1;
}
if(krita>0)
len=krita;
@@ -462,6 +465,9 @@ static int zip64_parse_end_central_dir(file_recovery_t *fr)
if (dir.end_size > 0)
{
const uint64_t len = le64(dir.end_size);
+ /* Avoid endless loop */
+ if( fr->file_size + len <= fr->file_size)
+ return -1;
if (my_fseek(fr->handle, len, SEEK_CUR) == -1)
{
#ifdef DEBUG_ZIP