From fa920de64befd44885b71f5d927196ae642a5701 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C5=93ur?= Date: Wed, 13 Nov 2024 06:05:40 +0100 Subject: [PATCH] ignore number_entry_cd when recover --- compat/unzip.c | 2 ++ mz_zip.c | 3 ++- .../incorrect_number_entries.zip | Bin 0 -> 131 bytes 3 files changed, 4 insertions(+), 1 deletion(-) create mode 100644 test/fuzz/unzip_fuzzer_seed_corpus/incorrect_number_entries.zip diff --git a/compat/unzip.c b/compat/unzip.c index aa025bb5..3fa2e407 100644 --- a/compat/unzip.c +++ b/compat/unzip.c @@ -137,6 +137,8 @@ unzFile unzOpen_MZ(void *stream) { if (!handle) return NULL; + mz_zip_set_recover(handle, 1); + err = mz_zip_open(handle, stream, MZ_OPEN_MODE_READ); if (err != MZ_OK) { mz_zip_delete(&handle); diff --git a/mz_zip.c b/mz_zip.c index f232d2e8..c2317321 100644 --- a/mz_zip.c +++ b/mz_zip.c @@ -980,7 +980,8 @@ static int32_t mz_zip_read_cd(void *handle) { if (err == MZ_OK) err = mz_stream_read_uint16(zip->stream, &value16); number_entry_cd = value16; - if (number_entry_cd != zip->number_entry) + /* When recover is enabled, we can ignore incorrect number of entries */ + if (number_entry_cd != zip->number_entry && !zip->recover) err = MZ_FORMAT_ERROR; /* Size of the central directory */ if (err == MZ_OK) diff --git a/test/fuzz/unzip_fuzzer_seed_corpus/incorrect_number_entries.zip b/test/fuzz/unzip_fuzzer_seed_corpus/incorrect_number_entries.zip new file mode 100644 index 0000000000000000000000000000000000000000..ddd5e74dbe4f637ae9bbd60552abbc03ea841428 GIT binary patch literal 131 zcmWIWW@Zs#;Nak3Xp|_5WPk!zAPvG9sX00Mr#;S|Jju=w;LXm_woJf`9V!>#&B!Fj hjL?fL2hs}zOBz8eut@>ltZX0-BM=({u@#8J001!c5)l9Z literal 0 HcmV?d00001