From cb2221ea7828af506507cc6489bed31945f9c51c Mon Sep 17 00:00:00 2001
From: Kai Dietrich <kai.dietrich@meelogic.com>
Date: Wed, 21 Oct 2020 09:15:12 +0200
Subject: [PATCH 1/2] Add failing test for remove_comment() parsing

zip_file::remove_comment() does some manual parsing on the dictionary
and seems to miss some range check in case of broken input
---
 tests/test.cpp | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)

diff --git a/tests/test.cpp b/tests/test.cpp
index 76558db..0481752 100644
--- a/tests/test.cpp
+++ b/tests/test.cpp
@@ -41017,6 +41017,56 @@ static const char *expected_content_types_string = "<?xml version=\"1.0\" encodi
 static const char *expected_atxt_string = "aaa\r\nbbb\r\nccc\n\n\n";
 static const char *expected_printdir_string = "  Length      Date    Time    Name\n---------  ---------- -----   ----\n      587  07/31/2014 19:19   _rels/.rels\n      299  07/31/2014 19:19   docProps/core.xml\n      231  07/31/2014 19:19   docProps/app.xml\n      415  07/31/2014 19:19   xl/workbook.xml\n      697  07/31/2014 19:19   xl/_rels/workbook.xml.rels\n    26038  07/31/2014 19:19   xl/theme/theme1.xml\n      291  07/31/2014 19:19   xl/theme/_rels/theme1.xml.rels\n     6415  07/31/2014 19:19   xl/worksheets/sheet1.xml\n      223  07/31/2014 19:19   xl/sharedStrings.xml\n     3188  07/31/2014 19:19   xl/styles.xml\n   489200  07/31/2014 19:19   xl/media/image1.png\n     1736  07/31/2014 19:19   [Content_Types].xml\n---------                     -------\n   529320                     12 files\n";
 
+
+static const unsigned char comment_crash_zip[] = {
+    0xd8, 0x9d, 0x0e, 0xfa, 0xf6, 0x7f, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
+    0x01, 0x00, 0x00, 0x00, 0xb0, 0x0b, 0x16, 0xe5, 0xc2, 0x01, 0x00, 0x00,
+    0x00, 0x4d, 0x14, 0xe5, 0xc2, 0x01, 0x00, 0x00, 0xcc, 0xcc, 0xcc, 0xcc,
+    0xcc, 0xcc, 0xcc, 0xcc, 0x73, 0x51, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x7f, 0x51, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x90, 0xf3, 0x0f, 0xe5,
+    0xc2, 0x01, 0x00, 0x00, 0x30, 0x09, 0x16, 0xe5, 0xc2, 0x01, 0x00, 0x00,
+    0xb0, 0xa1, 0x16, 0xe5, 0xc2, 0x01, 0x00, 0x00, 0xd5, 0xa3, 0x16, 0xe5,
+    0xc2, 0x01, 0x00, 0x00, 0xd5, 0xa3, 0x16, 0xe5, 0xc2, 0x01, 0x00, 0x00,
+    0xb0, 0x92, 0x0d, 0xfa, 0xf6, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0xb8, 0x92, 0x0d, 0xfa, 0xf6, 0x7f, 0x00, 0x00,
+    0xa8, 0x91, 0x0d, 0xfa, 0xf6, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x70, 0xa0, 0x16, 0xe5, 0xc2, 0x01, 0x00, 0x00, 0x78, 0xa0, 0x16, 0xe5,
+    0xc2, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x90, 0xa0, 0x16, 0xe5,
+    0xc2, 0x01, 0x00, 0x00, 0x98, 0xa0, 0x16, 0xe5, 0xc2, 0x01, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb0, 0xa0, 0x16, 0xe5,
+    0xc2, 0x01, 0x00, 0x00, 0xb4, 0xa0, 0x16, 0xe5, 0xc2, 0x01, 0x00, 0x00,
+    0x80, 0x09, 0x16, 0xe5, 0xc2, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xcd, 0xcd, 0xcd, 0xcd,
+    0xcd, 0xcd, 0xcd, 0xcd, 0x00, 0x00, 0x00, 0x00, 0xa8, 0x92, 0x0d, 0xfa,
+    0xf6, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x02, 0x00, 0x00,
+    0xcd, 0xcd, 0xcd, 0xcd, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x90, 0x0d, 0x16, 0xe5, 0xc2, 0x01, 0x00, 0x00, 0x68, 0xa0, 0x16, 0xe5,
+    0xc2, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x20, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0x60, 0x0b, 0x16, 0xe5,
+    0xc2, 0x01, 0x00, 0x00, 0x00, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd,
+    0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0xfd, 0xfd, 0xfd, 0xfd, 0xdd, 0xdd, 0xdd, 0xdd, 0x1d, 0x2a, 0x5d, 0x81,
+    0x1d, 0x76, 0x00, 0x17, 0x30, 0x0b, 0x16, 0xe5, 0xc2, 0x01, 0x00, 0x00,
+    0x80, 0x0b, 0x16, 0xe5, 0xc2, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
+    0x25, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x87, 0x2b, 0x00, 0x00,
+    0xfd, 0xfd, 0xfd, 0xfd, 0x50, 0x4b, 0x03, 0x04, 0x14, 0x00, 0x00, 0x00,
+    0x08, 0x00, 0x66, 0x49, 0x42, 0x51, 0x1b, 0x81, 0xf5, 0xdc, 0x65, 0x01,
+    0x00, 0x00, 0x79, 0x08, 0x00, 0x00, 0xcf, 0x00, 0x00, 0x00, 0x6d, 0x65,
+    0x65, 0x6c, 0x6f, 0x67, 0x69, 0x63, 0x5f, 0x6c, 0x6f, 0x67, 0x6f, 0x5f,
+    0x6d, 0xa2, 0x63, 0x72, 0x6f, 0x2e, 0x70, 0x6e, 0x6d, 0xed, 0x93, 0xcb,
+    0x4e, 0xc3, 0x30, 0x10, 0x45, 0xf7, 0xf9, 0x0a, 0x4b, 0xac, 0xa9, 0x66,
+    0xfc, 0x88, 0xed, 0x35, 0x0b, 0xc4, 0xa2, 0xbf, 0x00, 0xa2, 0x42, 0x95,
+    0x50, 0x41, 0xe5, 0x21, 0xf1, 0xf7, 0xdc, 0xa9, 0x27, 0xb2, 0x53, 0x28,
+    0x09, 0x84, 0x56, 0xed, 0xe2, 0xc8, 0x93, 0xeb, 0xc9,
+};
+
 void remove_temp_file()
 {
     std::remove(temp_file);
@@ -41254,6 +41304,20 @@ void test_comment()
     remove_temp_file();
 }
 
+void test_comment_crash_zip()
+{
+    std::vector<unsigned char> z;
+    z.assign(comment_crash_zip, comment_crash_zip+sizeof(comment_crash_zip));
+    
+    miniz_cpp::zip_file f;
+    try
+    {
+        f.load(z);
+    } catch(const std::runtime_error &)
+    {
+    }
+}
+
 void write_existing()
 {
     std::ofstream stream(existing_file, std::ios::binary);
@@ -41272,6 +41336,7 @@ void remove_existing()
 
 void test_zip()
 {
+    test_comment_crash_zip();
     write_existing();
     test_load_file();
     test_load_stream();

From 0e1e15747dc3194c294e4f703f8e430cb4cba8c5 Mon Sep 17 00:00:00 2001
From: Kai Dietrich <kai.dietrich@meelogic.com>
Date: Wed, 21 Oct 2020 09:59:28 +0200
Subject: [PATCH 2/2] Fix length checks in zip_file::remove_comment()

---
 zip_file.hpp | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/zip_file.hpp b/zip_file.hpp
index c324f70..befa3bf 100644
--- a/zip_file.hpp
+++ b/zip_file.hpp
@@ -5651,10 +5651,20 @@ class zip_file
             throw std::runtime_error("didn't find end of central directory signature");
         }
         
+        if (position + 1 >= buffer_.size())
+        {
+            throw std::runtime_error("central dictionary position invalid");
+        }
+        
         uint16_t length = static_cast<uint16_t>(buffer_[position + 1]);
         length = static_cast<uint16_t>(length << 8) + static_cast<uint16_t>(buffer_[position]);
         position += 2;
         
+        if (position + length > buffer_.size())
+        {
+            throw std::runtime_error("comment too long");
+        }
+        
         if(length != 0)
         {
             comment = std::string(buffer_.data() + position, buffer_.data() + position + length);