STINNER Victor added the comment:
read_directory() uses fseek() and ftell() which don't support offset larger
than LONG_MAX (2 GB on 32-bit system). I don't know if it's an issue. What
happens if the file is longer?
"header_offset += arc_offset;" can overflow or not? This instuction looks weird.
header_position = ftell(fp);
...
header_offset = get_long((unsigned char *)endof_central_dir + 16);
arc_offset = header_position - header_offset - header_size;
header_offset += arc_offset;
If I computed correctly, the final line can be replaced with:
arc_offset = header_position - header_offset - header_size;
header_offset = header_position - header_size;
(It is weird to reuse header_position for two different values, a new variable
may be added.)
Instead of checking that "header_offset > LONG_MAX", it may be safer to check
that:
- header_size >= 0
- header_offset >= 0
- header_offset + header_size <= LONG_MAX ---> header_offset <= LONG_MAX -
header_size
- arc_offset >= 0 ---> header_position >= header_offset + header_size
- header_offset > 0 ---> header_position >= header_size
If all these values must be positive according to ZIP format, get_long() may be
replaced with get_ulong() to simplify these checks.
----------
nosy: +haypo
title: overflow in zipexport.c -> Integer overflow in zipimport.c
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue19883>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
