From: Roland Shoemaker <roland@golang.org>
Date: Wed, 18 Aug 2021 18:49:29 +0000 (-0700)
Subject: CVE-2021-39293
X-Git-Tag: archive/raspbian/1.15.15-1_deb11u2+rpi1^2~5
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=39a2dfd887f03099c6756790c29ccc8823ed6817;p=golang-1.15.git

CVE-2021-39293

Origin: backport, https://github.com/golang/go/commit/bacbc334

Gbp-Pq: Name 0007-CVE-2021-39293.patch
---

diff --git a/src/archive/zip/reader.go b/src/archive/zip/reader.go
index 2d5151af..a6957739 100644
--- a/src/archive/zip/reader.go
+++ b/src/archive/zip/reader.go
@@ -90,7 +90,7 @@ func (z *Reader) init(r io.ReaderAt, size int64) error {
 	// indicate it contains up to 1 << 128 - 1 files. Since each file has a
 	// header which will be _at least_ 30 bytes we can safely preallocate
 	// if (data size / 30) >= end.directoryRecords.
-	if (uint64(size)-end.directorySize)/30 >= end.directoryRecords {
+	if end.directorySize < uint64(size) && (uint64(size)-end.directorySize)/30 >= end.directoryRecords {
 		z.File = make([]*File, 0, end.directoryRecords)
 	}
 	z.Comment = end.comment
diff --git a/src/archive/zip/reader_test.go b/src/archive/zip/reader_test.go
index 6f67d2e4..ef6ff5f6 100644
--- a/src/archive/zip/reader_test.go
+++ b/src/archive/zip/reader_test.go
@@ -1129,3 +1129,21 @@ func TestCVE202133196(t *testing.T) {
 		t.Errorf("Archive has unexpected number of files, got %d, want 5", len(r.File))
 	}
 }
+
+func TestCVE202139293(t *testing.T) {
+	// directory size is so large, that the check in Reader.init
+	// overflows when subtracting from the archive size, causing
+	// the pre-allocation check to be bypassed.
+	data := []byte{
+		0x50, 0x4b, 0x06, 0x06, 0x05, 0x06, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x4b,
+		0x06, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+		0x00, 0x00, 0x50, 0x4b, 0x05, 0x06, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x50, 0x4b,
+		0x06, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+		0x00, 0x00, 0x00, 0x50, 0x4b, 0x05, 0x06, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
+		0xff, 0x50, 0xfe, 0x00, 0xff, 0x00, 0x3a, 0x00, 0x00, 0x00, 0xff,
+	}
+	_, err := NewReader(bytes.NewReader(data), int64(len(data)))
+	if err != ErrFormat {
+		t.Fatalf("unexpected error, got: %v, want: %v", err, ErrFormat)
+	}
+}