diff options
Diffstat (limited to 'src/zenhttp/zipfs.cpp')
| -rw-r--r-- | src/zenhttp/zipfs.cpp | 111 |
1 files changed, 79 insertions, 32 deletions
diff --git a/src/zenhttp/zipfs.cpp b/src/zenhttp/zipfs.cpp index c0ffa2052..3bd09091a 100644 --- a/src/zenhttp/zipfs.cpp +++ b/src/zenhttp/zipfs.cpp @@ -100,57 +100,105 @@ namespace { ////////////////////////////////////////////////////////////////////////// ZipFs::ZipFs(IoBuffer&& Buffer) { - MemoryView View = Buffer.GetView(); - - uint8_t* Cursor = (uint8_t*)(View.GetData()) + View.GetSize(); - if (View.GetSize() < sizeof(EocdRecord)) + // Treat the input buffer as attacker-controlled. Every offset, size, and + // trailer length is validated against View.GetSize() before it is used to + // form a pointer. All additions are performed in uint64_t to prevent 32-bit + // wrap. + const MemoryView View = Buffer.GetView(); + const uint8_t* Base = static_cast<const uint8_t*>(View.GetData()); + const size_t Size = View.GetSize(); + + if (Size < sizeof(EocdRecord)) { return; } - const auto* EocdCursor = (EocdRecord*)(Cursor - sizeof(EocdRecord)); + const size_t EocdOffset = Size - sizeof(EocdRecord); + const EocdRecord* Eocd = reinterpret_cast<const EocdRecord*>(Base + EocdOffset); - // It is more correct to search backwards for EocdRecord::Magic as the - // comment can be of a variable length. But here we're not going to support - // zip files with comments. - if (EocdCursor->Signature != EocdRecord::Magic) + // We only support a zip whose EOCD sits at the very end of the buffer — no + // trailing comment, no Zip64. + if (Eocd->Signature != EocdRecord::Magic) + { + return; + } + if (Eocd->ThisDiskIndex == 0xffff) { return; } - // Zip64 isn't supported either - if (EocdCursor->ThisDiskIndex == 0xffff) + const uint32_t CdOffsetRel = Eocd->CdOffset; + const uint32_t CdSize = Eocd->CdSize; + const uint16_t CdRecordCount = Eocd->CdRecordCount; + + // Central directory must fit strictly before the EOCD. Derive the archive + // origin from the EOCD's declared layout so any pre-zip padding in the + // buffer is accounted for; LFH offsets are relative to this origin. + if (uint64_t(CdOffsetRel) + uint64_t(CdSize) > EocdOffset) { return; } - Cursor = (uint8_t*)EocdCursor - uint32_t(EocdCursor->CdOffset) - uint32_t(EocdCursor->CdSize); + const uint8_t* ArchiveStart = Base + (EocdOffset - CdOffsetRel - CdSize); + const uint8_t* CdCursor = ArchiveStart + CdOffsetRel; + const uint8_t* CdEnd = CdCursor + CdSize; - const auto* CdCursor = (CentralDirectoryRecord*)(Cursor + EocdCursor->CdOffset); - for (int i = 0, n = EocdCursor->CdRecordCount; i < n; ++i) + for (uint32_t Record = 0; Record < CdRecordCount; ++Record) { - const CentralDirectoryRecord& Cd = *CdCursor; + if (size_t(CdEnd - CdCursor) < sizeof(CentralDirectoryRecord)) + { + return; + } + const CentralDirectoryRecord& Cd = *reinterpret_cast<const CentralDirectoryRecord*>(CdCursor); + if (Cd.Signature != CentralDirectoryRecord::Magic) + { + return; + } + + const uint16_t NameLen = Cd.FileNameLength; + const uint16_t ExtraLen = Cd.ExtraFieldLength; + const uint16_t CommentLen = Cd.CommentLength; + const uint32_t Trailer = uint32_t(NameLen) + uint32_t(ExtraLen) + uint32_t(CommentLen); + if (size_t(CdEnd - CdCursor) - sizeof(CentralDirectoryRecord) < Trailer) + { + return; + } + + const uint16_t Compression = Cd.CompressionMethod; + const uint32_t Compressed = Cd.CompressedSize; + const uint32_t Original = Cd.OriginalSize; + const uint32_t LfhOffset = Cd.Offset; - bool Acceptable = true; - Acceptable &= (Cd.OriginalSize > 0); // has some content - Acceptable &= (Cd.CompressionMethod == 0 || Cd.CompressionMethod == 8); // stored or deflate - if (Acceptable) + const bool AcceptableCompression = (Compression == 0) || (Compression == 8); + const bool HasContent = Original > 0; + if (AcceptableCompression && HasContent) { - const uint8_t* Lfh = Cursor + Cd.Offset; - if (uintptr_t(Lfh - Cursor) < View.GetSize()) + // LFH header must fit inside the [ArchiveStart, CdOffsetRel) region + // (i.e. the pre-CD body). The LFH's own name + extra + compressed + // payload must also fit in that region. + const uint64_t LfhEndRel = uint64_t(LfhOffset) + sizeof(LocalFileHeader); + if (LfhEndRel <= CdOffsetRel) { - std::string_view FileName(Cd.FileName, Cd.FileNameLength); - FileItem Item; - Item.View = MemoryView{Lfh, size_t(0)}; - Item.CompressionMethod = Cd.CompressionMethod; - Item.CompressedSize = Cd.CompressedSize; - Item.UncompressedSize = Cd.OriginalSize; - m_Files.insert(std::make_pair(FileName, std::move(Item))); + const LocalFileHeader* Lfh = reinterpret_cast<const LocalFileHeader*>(ArchiveStart + LfhOffset); + const uint64_t DataStartRel = + LfhEndRel + uint64_t(uint16_t(Lfh->FileNameLength)) + uint64_t(uint16_t(Lfh->ExtraFieldLength)); + const uint64_t DataEndRel = DataStartRel + uint64_t(Compressed); + if (DataEndRel <= CdOffsetRel) + { + const uint8_t* FileData = ArchiveStart + DataStartRel; + std::string_view FileName(Cd.FileName, NameLen); + + FileItem Item; + Item.View = MemoryView{FileData, size_t(0)}; + Item.CompressionMethod = Compression; + Item.CompressedSize = Compressed; + Item.UncompressedSize = Original; + m_Files.insert({FileName, std::move(Item)}); + } } } - uint32_t ExtraBytes = Cd.FileNameLength + Cd.ExtraFieldLength + Cd.CommentLength; - CdCursor = (CentralDirectoryRecord*)(Cd.FileName + ExtraBytes); + CdCursor += sizeof(CentralDirectoryRecord) + Trailer; } m_Buffer = std::move(Buffer); @@ -184,8 +232,7 @@ ZipFs::GetFile(const std::string_view& FileName) const return IoBuffer(IoBuffer::Wrap, Item.View.GetData(), Item.View.GetSize()); } - const auto* Lfh = (LocalFileHeader*)(Item.View.GetData()); - const uint8_t* FileData = (const uint8_t*)(Lfh->FileName + Lfh->FileNameLength + Lfh->ExtraFieldLength); + const uint8_t* FileData = static_cast<const uint8_t*>(Item.View.GetData()); if (Item.CompressionMethod == 0) { |