From 0f4bd53ef007b2b593a68bb374f4babf644f4287 Mon Sep 17 00:00:00 2001
From: mancha <mancha1 AT zoho DOT com>
Date: Mon, 3 Nov 2014
Subject: Info-ZIP UnZip buffer overflow

By carefully crafting a corrupt ZIP archive with extra fields that
purport to have compressed blocks larger than the corresponding
uncompressed blocks, an attacker can trigger a heap overflow which can
result in application crash or possibly have unspecified other impact.

This patch ensures extra fields can't claim to contain a block with a 
a compressed size larger than its uncompressed size.

---
 extract.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/extract.c
+++ b/extract.c
@@ -2226,6 +2226,9 @@ static int test_compr_eb(__G__ eb, eb_si
          eb_size <= (compr_offset + EB_CMPRHEADLEN)))
         return IZ_EF_TRUNC;               /* no compressed data! */
 
+    if (eb_size - compr_offset > (unsigned)eb_ucsize)
+	return IZ_EF_TRUNC;		  /* compressed > uncompressed */
+
     if (
 #ifdef INT_16BIT
         (((ulg)(extent)eb_ucsize) != eb_ucsize) ||