|
line 3652 :
if (err==Z_STREAM_END) return (iRead==0) ? UNZ_EOF : iRead;
to
if (err==Z_STREAM_END) return (iRead==<code>len</code>) ? UNZ_EOF : iRead;
As iRead is an accumulator of the ZIP output buffer, if Z_STREAM_END is reached, UNZ_EOF is get if the total output bytes equal the expected len !
Kochise
PS : Especialy in ZIP_MEMORY mode !!!
In Code we trust !
|
|
|
|
|
This code is part of zlib, and I assume that is well tested.
Thomas Haase
|
|
|
|
|
Thanks Kochise
This is definitely a bug.
|
|
|
|
|
For some unknown reasons, I inflate a CAB file with odd (300937 bytes) size.
err=inflate(&pfile_in_zip_read_info->stream,flush); The previous line returns me Z_OK intead of Z_STREAM_END at the end of the zipped file, so it fails to the following line in int unzReadCurrentFile :
if (err==Z_OK) return iRead; The problem is it returns the size of the uncompressed file (300937 bytes) in ZRESULT TUnzip::Unzip , which believes there still something to read there :
if (res>0) return ZR_MORE; Just replace this line at the end of int unzReadCurrentFile from :
if (err==Z_OK) return iRead; to
if (err==Z_OK) return pfile_in_zip_read_info->rest_read_uncompressed; So if there REALLY still something to read, the return code will be correct (ZR_MORE), and UNZ_EOF (==0) if there is nothing more left to be read...
But I cannot understand why the zipped CAB file is not correctly unstreamed (doesn't last with a Z_STREAM_END code from 'inflate' but Z_OK instead) :/ I'm still puzzled on this one.
And no, the zlib is far from being well tested, the ZIP_MEMORY handle was specificaly said to be particulary UNTESTED ! It ALWAYS fails if the size of the buffer doesn't match to the size of the uncompressed file (iRead==len), especially on larger buffers which should normally handle file of thiner size. There is plenty of such tricks in the code which turns some particular cases into debuging hell...
Kochise
In Code we trust !
|
|
|
|
|
And just to stop moaning about how zlib is perfect and well tested, that I'm a moron so far, just read this :
http://www.eweek.com/article2/0,1895,1834632,00.asp
Reproduced here for archiving :
"A serious security flaw has been identified in Zlib, a widely used data compression library. Fixes have begun to appear, but a large number of programs could be affected.
Zlib is a data compression library that is used by many third-party programs and is distributed with many operating systems, including many Linux and BSD distributions.
Microsoft Corp. and other proprietary software companies also use the library in many programs. These companies can do so because Zlib is licensed under liberal BSD-style license.
This isn't the first time that the popular Zlib has been the center of a security concern. In 2002, a problem with how it handled memory allocation became a major concern.
This time, the flaw is a buffer overflow in the decompression process. Because the program doesn't properly validate input data, it can be fed bad data, which can lead to a buffer overflow.
This, in turn, means that if a user opens a file with a Zlib-enabled application, such as a Web browser or data compression tool, which contains specially malformed compressed data, an attacker could execute arbitrary code as the user. If this user were running as a system administrator the flaw would run at that level as well.
Read details here about open-source security tools on view at InfoSec.
The flaw was discovered by Tavis Ormandy of the Gentoo Linux Security Audit Team.
Since Zlib is so ubiquitous, this represents a serious security concern.
It's not clear how many programs are affected, but some operating system distributions are widely exposed. According to one source, numerous key packages in the Fedora Core 3 distribution use Zlib. Symantec Corp. reports that AIX, Debian, FreeBSD, Gentoo, SuSE, Red Hat, Ubuntu and many other operating systems are affected.
Some versions of Microsoft's DirectX, FrontPage, Internet Explorer, Office, Visual Studio, Messenger and the Windows InstallShield program, among other programs, also use Zlib and are potentially vulnerable.
Microsoft is currently looking into what vulnerabilities may exist in its software because of the Zlib problem.
As Ormandy said, "Everything from the Linux kernel to OpenSSH, Mozilla and Internet Explorer makes use of Zlib, and any application that understands PNG [portable network graphics] image [format] is likely to use it."
Click here to read about vulnerabilities in two popular open-source projects, phpMyAdmin and phpBB.
If exploited, this flaw could lead to DoS (denial of service) attacks on the targeted machine. This buffer overflow could also be used to allow a hacker unaurhorized access to a system.
At this time, however, Symantec reports, there are no known exploits.
In the open-source operating systems, deploying application fixes for this problem will tend to be straightforward. That's because in these operating systems the Zlib library is usually linked dynamically to applications. Thus, simply updating the operating system with the new library will take care of the problem for most applications. On other systems, however, and even with some open-source applications, each application will need to be patched.
"Zlib is statically linked quite often, especially on non-Unix platforms such as Windows; however, on Linux, BSD and [similar operating systems] it's more conventional to use dynamic linking, especially as Zlib is so widely used on these platforms that it reduces lots of unnecessary duplication," explained Ormandy.
Activity at the Zlib development site has been sparse for some time, and the main developers seem to have moved on to other projects. We received no response to our attempts to contact the developers in time for this story.
However, Ormandy said, "Zlib is very mature and stable, so development is sporadic, but it's certainly not dead. Mark Adler [a Zlib co-author] responded to my report with a patch and an in-depth investigation and explanation within 24 hours, and I believe he expects to release a new version of Zlib very soon."
In the meantime, many open-source operating systems already have patches for the buffer problem. These include Debian, FreeBSD, Gentoo, SuSE and Ubuntu.
Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog."
Kochise
In Code we trust !
|
|
|
|