Re: [patch] Infinite loop in zip_fread

[Dieter Baron <dillo%danbala.tuwien.ac.at@localhost>]

On Feb 5, 2010, at 14:38, Alexander Galanin wrote:
> On Thu, 4 Feb 2010 09:31:09 +0300
> Alexander Galanin <al%galanin.nnov.ru@localhost> wrote:
> 
>> Hello!
>> 
>> I found that zip_fread enters infinite loop while reading file with bad
>> CRC. You can reproduce the problem using attached test.

  The attached zip archive contains only an empty directory, so I cannot 
reproduce the bug.

> 
> Sorry, previous patch is not correct. The following patch seems to be
> more stable:
> 
> diff -r 887db8097f2f lib/zip_fread.c
> --- a/lib/zip_fread.c Срд Фев 03 10:17:41 2010 +0100
> +++ b/lib/zip_fread.c Птн Фев 05 16:35:02 2010 +0300
> @@ -97,11 +97,16 @@
> 
>       case Z_OK:
>           len = zf->zstr->total_out - out_before;
> -         if (len >= zf->bytes_left || len >= toread) {
> +         if (len >= zf->bytes_left || len >= toread || ret == Z_STREAM_END) {
>               if (zf->flags & ZIP_ZF_CRC)
>                   zf->crc = crc32(zf->crc, (Bytef *)outbuf, len);
>               zf->bytes_left -= len;
> -             return len;
> +                if (ret == Z_STREAM_END && zf->crc != zf->crc_orig) {
> +                    _zip_error_set(&zf->error, ZIP_ER_CRC, 0);
> +                    return -1;
> +                } else {
> +                    return len;
> +                }
>           }
>           break;

Hm, that might return -1 when data has been placed in outbuf, in which case it 
should return the amount of data placed there, and return -1 on the next call.

Please send me a zip archive that exposes this bug, and I'll look into it.

yours,
dillo