Thanks for the bug report and proposed fix. I installed the attached,
which should fix the gzip bug in a different way.
I think the bug is innocuous in practice, but it's good to fix it anyway
as these things tend to mushroom.From c5e789971dfbc999cde5d1ce526a4422310617b8 Mon Sep 17 00:00:00 2001
From: Paul Eggert <egg...@cs.ucla.edu>
Date: Thu, 29 May 2025 23:06:19 -0700
Subject: [PATCH] gzip: fix uninitialized read
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Problem reported by Mohamed Maatallah <https://bugs.gnu.org/78639>.
* unzip.c (check_zipfile):
Don’t read past end of initialized data in the input buffer.
---
NEWS | 5 +++++
THANKS | 1 +
unzip.c | 4 +++-
3 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/NEWS b/NEWS
index 1698401..9be1a87 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,11 @@ GNU gzip NEWS -*- outline -*-
* Noteworthy changes in release ?.? (????-??-??) [?]
+** Bug fixes
+
+ A use of uninitialized memory on some malformed inputs has been fixed.
+ [bug present since the beginning]
+
* Noteworthy changes in release 1.14 (2025-04-09) [stable]
diff --git a/THANKS b/THANKS
index 6373fea..4e545d9 100644
--- a/THANKS
+++ b/THANKS
@@ -184,6 +184,7 @@ David R. Linn d...@vuse.vanderbilt.edu
Antonio Lioy c...@athena.polito.it
Jamie Lokier u9...@ecs.oxford.ac.uk
Richard Lloyd r.k.ll...@csc.liv.ac.uk
+Mohamed Maatallah zephyrofficialdisc...@gmail.com
David J. MacKenzie d...@eng.umd.edu
John R MacMillan j...@chance.gts.org
Ron Male m...@eso.mc.xerox.com
diff --git a/unzip.c b/unzip.c
index 9880408..1bd9ca7 100644
--- a/unzip.c
+++ b/unzip.c
@@ -69,7 +69,9 @@ check_zipfile (int in)
ifd = in;
/* Check validity of local header, and skip name and extra fields */
- inptr += LOCHDR + SH(h + LOCFIL) + SH(h + LOCEXT);
+ inptr += LOCHDR;
+ if (inptr <= insize)
+ inptr += SH(h + LOCFIL) + SH(h + LOCEXT);
if (inptr > insize || LG(h) != LOCSIG) {
fprintf(stderr, "\n%s: %s: not a valid zip file\n",
--
2.48.1
