<pre style='margin:0'>
ra1nb0w (ra1nb0w) pushed a commit to branch master
in repository macports-ports.
</pre>
<p><a href="https://github.com/macports/macports-ports/commit/82a12af33734b84f96fa1e70cfbb1797227a33bb">https://github.com/macports/macports-ports/commit/82a12af33734b84f96fa1e70cfbb1797227a33bb</a></p>
<pre style="white-space: pre; background: #F8F8F8"><span style='display:block; white-space:pre;color:#808000;'>commit 82a12af33734b84f96fa1e70cfbb1797227a33bb
</span>Author: Greg Fiumara <gregory.fiumara@nist.gov>
AuthorDate: Mon Apr 13 10:06:47 2020 -0400
<span style='display:block; white-space:pre;color:#404040;'> unzip: security patches from Debian
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> Added 5 previously unmerged patches from Debian's unzip package:
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> * CVE-2018-1000035
</span><span style='display:block; white-space:pre;color:#404040;'> * CVE-2019-13232
</span><span style='display:block; white-space:pre;color:#404040;'> * CVE-2019-13232
</span><span style='display:block; white-space:pre;color:#404040;'> * CVE-2019-13232
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> Closes: https://trac.macports.org/ticket/56441
</span>---
archivers/unzip/Portfile | 12 +-
...20-cve-2018-1000035-unzip-buffer-overflow.patch | 36 +++
.../21-fix-warning-messages-on-big-files.patch | 15 +
...2-cve-2019-13232-fix-bug-in-undefer-input.patch | 22 ++
...19-13232-zip-bomb-with-overlapped-entries.patch | 335 +++++++++++++++++++++
...ise-alert-for-misplaced-central-directory.patch | 103 +++++++
...-utf8.patch => 99-unzip60-alt-iconv-utf8.patch} | 0
7 files changed, 520 insertions(+), 3 deletions(-)
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/archivers/unzip/Portfile b/archivers/unzip/Portfile
</span><span style='display:block; white-space:pre;color:#808080;'>index 0cbb4a6..4f67c5e 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/archivers/unzip/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/archivers/unzip/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -4,7 +4,7 @@ PortSystem 1.0
</span>
name unzip
version 6.0
<span style='display:block; white-space:pre;background:#ffe0e0;'>-revision 2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+revision 3
</span> maintainers nomaintainer
categories archivers sysutils
platforms darwin freebsd
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -46,7 +46,13 @@ patchfiles \
</span> 16-fix-integer-underflow-csiz-decrypted.patch \
17-restore-unix-timestamps-accurately.patch \
18-cve-2014-9913-unzip-buffer-overflow.patch \
<span style='display:block; white-space:pre;background:#ffe0e0;'>- 19-cve-2016-9844-zipinfo-buffer-overflow.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 19-cve-2016-9844-zipinfo-buffer-overflow.patch \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 20-cve-2018-1000035-unzip-buffer-overflow.patch \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 21-fix-warning-messages-on-big-files.patch \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 22-cve-2019-13232-fix-bug-in-undefer-input.patch \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ 24-cve-2019-13232-do-not-raise-alert-for-misplaced-central-directory.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span>
post-patch {
reinplace -E "/-O3/s|(LF2=\")|\\1[get_canonical_archflags ld]|" \
<span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -92,7 +98,7 @@ if {${build_arch} eq "x86_64"} {
</span>
variant iconv description {Add iconv support} {
depends_lib-append port:libiconv
<span style='display:block; white-space:pre;background:#ffe0e0;'>- patchfiles-append 20-unzip60-alt-iconv-utf8.patch
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ patchfiles-append 99-unzip60-alt-iconv-utf8.patch
</span>
set unicode_support_args "-DUNICODE_SUPPORT -DUTF8_MAYBE_NATIVE -D_MBCS"
append localflags " -I${prefix}/include -DNATIVE ${unicode_support_args}"
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/archivers/unzip/files/20-cve-2018-1000035-unzip-buffer-overflow.patch b/archivers/unzip/files/20-cve-2018-1000035-unzip-buffer-overflow.patch
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..ec7738a
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/archivers/unzip/files/20-cve-2018-1000035-unzip-buffer-overflow.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,36 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From: Karol Babioch <kbabioch@suse.com>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Subject: Fix buffer overflow in password protected zip archives
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Bug-Debian: https://bugs.debian.org/889838
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Origin: https://bugzilla.novell.com/attachment.cgi?id=759406
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+X-Debian-version: 6.0-22
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/fileio.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/fileio.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1582,6 +1582,10 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int r = IZ_PW_ENTERED;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char *m;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char *prompt;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char *zfnf;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ char *efnf;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ size_t zfnfl;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int isOverflow;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifndef REENTRANT
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* tell picky compilers to shut up about "unused variable" warnings */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1590,7 +1594,15 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (*rcnt == 0) { /* First call for current entry */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ *rcnt = 2;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ zfnf = FnFilter1(zfn);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ efnf = FnFilter2(efn);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ zfnfl = strlen(zfnf);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ isOverflow = TRUE;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (2*FILNAMSIZ >= zfnfl && (2*FILNAMSIZ - zfnfl) >= strlen(efnf))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ isOverflow = FALSE;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((isOverflow == FALSE) && ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sprintf(prompt, LoadFarString(PasswPrompt),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ FnFilter1(zfn), FnFilter2(efn));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ m = prompt;
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/archivers/unzip/files/21-fix-warning-messages-on-big-files.patch b/archivers/unzip/files/21-fix-warning-messages-on-big-files.patch
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..55a115a
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/archivers/unzip/files/21-fix-warning-messages-on-big-files.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,15 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From: "Steven M. Schweda" <sms@antinode.info>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Subject: Fix lame code in fileio.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Bug-Debian: https://bugs.debian.org/929502
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+X-Debian-version: 6.0-23
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/fileio.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/fileio.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2477,6 +2477,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return (((zusz_t)sig[7]) << 56)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ + (((zusz_t)sig[6]) << 48)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ + (((zusz_t)sig[5]) << 40)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ + (((zusz_t)sig[4]) << 32)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ + (zusz_t)((((ulg)sig[3]) << 24)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ + (((ulg)sig[2]) << 16)
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/archivers/unzip/files/22-cve-2019-13232-fix-bug-in-undefer-input.patch b/archivers/unzip/files/22-cve-2019-13232-fix-bug-in-undefer-input.patch
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..e77b5f0
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/archivers/unzip/files/22-cve-2019-13232-fix-bug-in-undefer-input.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,22 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From: Mark Adler <madler@alumni.caltech.edu>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Subject: Fix bug in undefer_input() that misplaced the input state.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Origin: https://github.com/madler/unzip/commit/41beb477c5744bc396fa1162ee0c14218ec12213
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Bug-Debian: https://bugs.debian.org/931433
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+X-Debian-version: 6.0-24
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Fix bug in undefer_input() that misplaced the input state.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/fileio.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/fileio.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -532,8 +532,10 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * This condition was checked when G.incnt_leftover was set > 0 in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * defer_leftover_input(), and it is NOT allowed to touch G.csize
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * before calling undefer_input() when (G.incnt_leftover > 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- * (single exception: see read_byte()'s "G.csize <= 0" handling) !!
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * (single exception: see readbyte()'s "G.csize <= 0" handling) !!
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (G.csize < 0L)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ G.csize = 0L;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ G.incnt = G.incnt_leftover + (int)G.csize;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ G.inptr = G.inptr_leftover - (int)G.csize;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ G.incnt_leftover = 0;
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/archivers/unzip/files/23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch b/archivers/unzip/files/23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..e7fd7e7
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/archivers/unzip/files/23-cve-2019-13232-zip-bomb-with-overlapped-entries.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,335 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From: Mark Adler <madler@alumni.caltech.edu>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Subject: Detect and reject a zip bomb using overlapped entries.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Origin: https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Bug-Debian: https://bugs.debian.org/931433
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+X-Debian-version: 6.0-24
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Detect and reject a zip bomb using overlapped entries.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ This detects an invalid zip file that has at least one entry that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ overlaps with another entry or with the central directory to the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ end of the file. A Fifield zip bomb uses overlapped local entries
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ to vastly increase the potential inflation ratio. Such an invalid
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ zip file is rejected.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ See https://www.bamsoftware.com/hacks/zipbomb/ for David Fifield's
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ analysis, construction, and examples of such zip bombs.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ The detection maintains a list of covered spans of the zip files
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ so far, where the central directory to the end of the file and any
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ bytes preceding the first entry at zip file offset zero are
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ considered covered initially. Then as each entry is decompressed
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ or tested, it is considered covered. When a new entry is about to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ be processed, its initial offset is checked to see if it is
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ contained by a covered span. If so, the zip file is rejected as
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ invalid.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ This commit depends on a preceding commit: "Fix bug in
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ undefer_input() that misplaced the input state."
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/extract.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/extract.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -321,6 +321,125 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "\nerror: unsupported extra-field compression type (%u)--skipping\n";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static ZCONST char Far BadExtraFieldCRC[] =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ "error [%s]: bad extra-field CRC %08lx (should be %08lx)\n";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static ZCONST char Far NotEnoughMemCover[] =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "error: not enough memory for bomb detection\n";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static ZCONST char Far OverlappedComponents[] =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ "error: invalid zip file with overlapped components (possible zip bomb)\n";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* A growable list of spans. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++typedef zoff_t bound_t;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++typedef struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ bound_t beg; /* start of the span */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ bound_t end; /* one past the end of the span */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++} span_t;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++typedef struct {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ span_t *span; /* allocated, distinct, and sorted list of spans */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ size_t num; /* number of spans in the list */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ size_t max; /* allocated number of spans (num <= max) */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++} cover_t;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Return the index of the first span in cover whose beg is greater than val.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * If there is no such span, then cover->num is returned.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static size_t cover_find(cover, val)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cover_t *cover;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ bound_t val;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ size_t lo = 0, hi = cover->num;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ while (lo < hi) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ size_t mid = (lo + hi) >> 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (val < cover->span[mid].beg)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ hi = mid;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ lo = mid + 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return hi;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/* Return true if val lies within any one of the spans in cover. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static int cover_within(cover, val)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cover_t *cover;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ bound_t val;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ size_t pos = cover_find(cover, val);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return pos > 0 && val < cover->span[pos - 1].end;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++/*
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Add a new span to the list, but only if the new span does not overlap any
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * spans already in the list. The new span covers the values beg..end-1. beg
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * must be less than end.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * Keep the list sorted and merge adjacent spans. Grow the allocated space for
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * the list as needed. On success, 0 is returned. If the new span overlaps any
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * existing spans, then 1 is returned and the new span is not added to the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * list. If the new span is invalid because beg is greater than or equal to
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * end, then -1 is returned. If the list needs to be grown but the memory
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * allocation fails, then -2 is returned.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static int cover_add(cover, beg, end)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cover_t *cover;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ bound_t beg;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ bound_t end;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ size_t pos;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int prec, foll;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (beg >= end)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* The new span is invalid. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return -1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Find where the new span should go, and make sure that it does not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ overlap with any existing spans. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pos = cover_find(cover, beg);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((pos > 0 && beg < cover->span[pos - 1].end) ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (pos < cover->num && end > cover->span[pos].beg))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Check for adjacencies. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ prec = pos > 0 && beg == cover->span[pos - 1].end;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ foll = pos < cover->num && end == cover->span[pos].beg;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (prec && foll) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* The new span connects the preceding and following spans. Merge the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ following span into the preceding span, and delete the following
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ span. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cover->span[pos - 1].end = cover->span[pos].end;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cover->num--;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ memmove(cover->span + pos, cover->span + pos + 1,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (cover->num - pos) * sizeof(span_t));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else if (prec)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* The new span is adjacent only to the preceding span. Extend the end
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ of the preceding span. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cover->span[pos - 1].end = end;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else if (foll)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* The new span is adjacent only to the following span. Extend the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ beginning of the following span. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cover->span[pos].beg = beg;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* The new span has gaps between both the preceding and the following
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ spans. Assure that there is room and insert the span. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (cover->num == cover->max) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ size_t max = cover->max == 0 ? 16 : cover->max << 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ span_t *span = realloc(cover->span, max * sizeof(span_t));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (span == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return -2;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cover->span = span;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cover->max = max;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ memmove(cover->span + pos + 1, cover->span + pos,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (cover->num - pos) * sizeof(span_t));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cover->num++;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cover->span[pos].beg = beg;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cover->span[pos].end = end;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -376,6 +495,29 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif /* !SFX || SFX_EXDIR */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* One more: initialize cover structure for bomb detection. Start with a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ span that covers the central directory though the end of the file. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (G.cover == NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ G.cover = malloc(sizeof(cover_t));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (G.cover == NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Info(slide, 0x401, ((char *)slide,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ LoadFarString(NotEnoughMemCover)));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return PK_MEM;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ((cover_t *)G.cover)->span = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ((cover_t *)G.cover)->max = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ((cover_t *)G.cover)->num = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((G.extra_bytes != 0 &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cover_add((cover_t *)G.cover,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ G.extra_bytes + G.ecrec.offset_start_central_directory,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ G.ziplen) != 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Info(slide, 0x401, ((char *)slide,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ LoadFarString(NotEnoughMemCover)));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return PK_MEM;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*---------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ The basic idea of this function is as follows. Since the central di-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ rectory lies at the end of the zipfile and the member files lie at the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -593,7 +735,8 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (error > error_in_archive)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ error_in_archive = error;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* ...and keep going (unless disk full or user break) */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (G.disk_full > 1 || error_in_archive == IZ_CTRLC) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (G.disk_full > 1 || error_in_archive == IZ_CTRLC ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ error == PK_BOMB) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* clear reached_end to signal premature stop ... */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ reached_end = FALSE;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* ... and cancel scanning the central directory */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1062,6 +1205,11 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* seek_zipf(__G__ pInfo->offset); */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ request = G.pInfo->offset + G.extra_bytes;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (cover_within((cover_t *)G.cover, request)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Info(slide, 0x401, ((char *)slide,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ LoadFarString(OverlappedComponents)));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return PK_BOMB;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ inbuf_offset = request % INBUFSIZ;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ bufstart = request - inbuf_offset;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1602,6 +1750,18 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return IZ_CTRLC; /* cancel operation by user request */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ error = cover_add((cover_t *)G.cover, request,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ G.cur_zipfile_bufstart + (G.inptr - G.inbuf));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (error < 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Info(slide, 0x401, ((char *)slide,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ LoadFarString(NotEnoughMemCover)));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return PK_MEM;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (error != 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Info(slide, 0x401, ((char *)slide,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ LoadFarString(OverlappedComponents)));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return PK_BOMB;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef MACOS /* MacOS is no preemptive OS, thus call event-handling by hand */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ UserStop();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2003,6 +2163,34 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ undefer_input(__G);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((G.lrec.general_purpose_bit_flag & 8) != 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* skip over data descriptor (harder than it sounds, due to signature
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ * ambiguity)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# define SIG 0x08074b50
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++# define LOW 0xffffffff
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ uch buf[12];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ unsigned shy = 12 - readbuf((char *)buf, 12);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ulg crc = shy ? 0 : makelong(buf);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ulg clen = shy ? 0 : makelong(buf + 4);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ulg ulen = shy ? 0 : makelong(buf + 8); /* or high clen if ZIP64 */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (crc == SIG && /* if not SIG, no signature */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (G.lrec.crc32 != SIG || /* if not SIG, have signature */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (clen == SIG && /* if not SIG, no signature */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ((G.lrec.csize & LOW) != SIG || /* if not SIG, have signature */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (ulen == SIG && /* if not SIG, no signature */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (G.zip64 ? G.lrec.csize >> 32 : G.lrec.ucsize) != SIG
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* if not SIG, have signature */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ )))))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* skip four more bytes to account for signature */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ shy += 4 - readbuf((char *)buf, 4);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (G.zip64)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ shy += 8 - readbuf((char *)buf, 8); /* skip eight more for ZIP64 */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (shy)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ error = PK_ERR;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return error;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } /* end function extract_or_test_member() */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/globals.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/globals.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -181,6 +181,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # if (!defined(NO_TIMESTAMPS))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ uO.D_flag=1; /* default to '-D', no restoration of dir timestamps */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ # endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ G.cover = NULL; /* not allocated yet */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ uO.lflag=(-1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/globals.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/globals.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -260,12 +260,15 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ecdir_rec ecrec; /* used in unzip.c, extract.c */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ z_stat statbuf; /* used by main, mapname, check_for_newer */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int zip64; /* true if Zip64 info in extra field */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int mem_mode;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ uch *outbufptr; /* extract.c static */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ulg outsize; /* extract.c static */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int reported_backslash; /* extract.c static */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int disk_full;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int newfile;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ void **cover; /* used in extract.c for bomb detection */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int didCRlast; /* fileio static */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ulg numlines; /* fileio static: number of lines printed */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/process.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/process.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -637,6 +637,13 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* Free the cover span list and the cover structure. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (G.cover != NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ free(*(G.cover));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ free(G.cover);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ G.cover = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } /* end function free_G_buffers() */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1913,6 +1920,8 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define Z64FLGS 0xffff
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define Z64FLGL 0xffffffff
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ G.zip64 = FALSE;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (ef_len == 0 || ef_buf == NULL)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return PK_COOL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2084,6 +2093,8 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (ZCONST char *)(offset + ef_buf), ULen);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ G.unipath_filename[ULen] = '\0';
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ G.zip64 = TRUE;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Skip this extra field block */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/unzip.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/unzip.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -645,6 +645,7 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define PK_NOZIP 9 /* zipfile not found */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define PK_PARAM 10 /* bad or illegal parameters specified */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define PK_FIND 11 /* no files found */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++#define PK_BOMB 12 /* likely zip bomb */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define PK_DISK 50 /* disk full */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #define PK_EOF 51 /* unexpected EOF */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/archivers/unzip/files/24-cve-2019-13232-do-not-raise-alert-for-misplaced-central-directory.patch b/archivers/unzip/files/24-cve-2019-13232-do-not-raise-alert-for-misplaced-central-directory.patch
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..da1b52a
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/archivers/unzip/files/24-cve-2019-13232-do-not-raise-alert-for-misplaced-central-directory.patch
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,103 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+From: Mark Adler <madler@alumni.caltech.edu>
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Subject: Do not raise a zip bomb alert for a misplaced central directory.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Origin: https://github.com/madler/unzip/commit/6d351831be705cc26d897db44f878a978f4138fc
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+Bug-Debian: https://bugs.debian.org/932404
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+X-Debian-version: 6.0-25
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Do not raise a zip bomb alert for a misplaced central directory.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ There is a zip-like file in the Firefox distribution, omni.ja,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ which is a zip container with the central directory placed at the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ start of the file instead of after the local entries as required
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ by the zip standard. This commit marks the actual location of the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ central directory, as well as the end of central directory records,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ as disallowed locations. This now permits such containers to not
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ raise a zip bomb alert, where in fact there are no overlaps.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/extract.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/extract.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -495,8 +495,11 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif /* !SFX || SFX_EXDIR */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- /* One more: initialize cover structure for bomb detection. Start with a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- span that covers the central directory though the end of the file. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ /* One more: initialize cover structure for bomb detection. Start with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ spans that cover any extra bytes at the start, the central directory,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ the end of central directory record (including the Zip64 end of central
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ directory locator, if present), and the Zip64 end of central directory
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ record, if present. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (G.cover == NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ G.cover = malloc(sizeof(cover_t));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (G.cover == NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -508,15 +511,25 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ((cover_t *)G.cover)->max = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ((cover_t *)G.cover)->num = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if ((G.extra_bytes != 0 &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- cover_add((cover_t *)G.cover,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (cover_add((cover_t *)G.cover,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ G.extra_bytes + G.ecrec.offset_start_central_directory,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- G.ziplen) != 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ G.extra_bytes + G.ecrec.offset_start_central_directory +
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ G.ecrec.size_central_directory) != 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Info(slide, 0x401, ((char *)slide,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ LoadFarString(NotEnoughMemCover)));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return PK_MEM;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ((G.extra_bytes != 0 &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ (G.ecrec.have_ecr64 &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cover_add((cover_t *)G.cover, G.ecrec.ec64_start,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ G.ecrec.ec64_end) != 0) ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cover_add((cover_t *)G.cover, G.ecrec.ec_start,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ G.ecrec.ec_end) != 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Info(slide, 0x401, ((char *)slide,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ LoadFarString(OverlappedComponents)));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return PK_BOMB;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /*---------------------------------------------------------------------------
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ The basic idea of this function is as follows. Since the central di-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/process.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/process.c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1408,6 +1408,10 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Now, we are (almost) sure that we have a Zip64 archive. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ G.ecrec.have_ecr64 = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ G.ecrec.ec_start -= ECLOC64_SIZE+4;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ G.ecrec.ec64_start = ecrec64_start_offset;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ G.ecrec.ec64_end = ecrec64_start_offset +
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ 12 + makeint64(&byterec[ECREC64_LENGTH]);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Update the "end-of-central-dir offset" for later checks. */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ G.real_ecrec_offset = ecrec64_start_offset;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1542,6 +1546,8 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ makelong(&byterec[OFFSET_START_CENTRAL_DIRECTORY]);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ G.ecrec.zipfile_comment_length =
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ makeword(&byterec[ZIPFILE_COMMENT_LENGTH]);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ G.ecrec.ec_start = G.real_ecrec_offset;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ G.ecrec.ec_end = G.ecrec.ec_start + 22 + G.ecrec.zipfile_comment_length;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* Now, we have to read the archive comment, BEFORE the file pointer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ is moved away backwards to seek for a Zip64 ECLOC64 structure.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- a/unzpriv.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ b/unzpriv.h
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2185,6 +2185,16 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int have_ecr64; /* valid Zip64 ecdir-record exists */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int is_zip64_archive; /* Zip64 ecdir-record is mandatory */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ush zipfile_comment_length;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ zusz_t ec_start, ec_end; /* offsets of start and end of the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ end of central directory record,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ including if present the Zip64
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ end of central directory locator,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ which immediately precedes the
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ end of central directory record */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ zusz_t ec64_start, ec64_end; /* if have_ecr64 is true, then these
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ are the offsets of the start and
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ end of the Zip64 end of central
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ directory record */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } ecdir_rec;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;color:#808080;'>diff --git a/archivers/unzip/files/20-unzip60-alt-iconv-utf8.patch b/archivers/unzip/files/99-unzip60-alt-iconv-utf8.patch
</span>similarity index 100%
rename from archivers/unzip/files/20-unzip60-alt-iconv-utf8.patch
rename to archivers/unzip/files/99-unzip60-alt-iconv-utf8.patch
</pre><pre style='margin:0'>
</pre>