Reject oversized self-update ZIP entries#784
Conversation
d1d8272 to
ce1f704
Compare
|
Thanks for the cppcheck cleanup. Triage: bug/static-analysis cleanup touching CLI ZIP parsing and Cypher null handling. Review will check that the ZIP size/bounds changes have regression coverage for truncation and allocation overflow, and that the Cypher changes preserve the intended NULL semantics. This looks focused, but it still needs normal test/lint evidence because it changes parser/evaluator behavior. |
|
Thanks — all four hunk groups check out as genuine fixes: the LE helpers are behavior-identical, the size_t widening is sound, and we verified the cypher IS NULL guards are truly unreachable (eval_condition returns early on !actual just above). Two asks before merge, both about the third hunk — which is much more than lint cleanup: the old int-cast truncation check is genuinely bypassable for comp_size >= 2^31, letting inflate read past the downloaded archive buffer. That's a real bounds-check fix in the self-update path and deserves to be visible, not buried: (1) please retitle/split so the security-relevant fix is called out (its own commit at minimum, ideally its own PR line in the body); (2) the current regression test passes on unfixed code — comp_size=65536 against a 49-byte buffer already fails the old check, and it never triggers the >=2^31 overflow nor the DEFLATE path. Please make it red-first: comp_size >= 0x80000000 (e.g. 0xFFFF0000) with method=DEFLATE, so it fails on main and passes only with the corrected check. Then we're glad to merge. Thanks! Update: to keep momentum on the bug backlog, we're going to carry the changes above over the line ourselves shortly — a distilled follow-up on current main implementing the notes in this thread, with you credited as |
ce1f704 to
1d1c718
Compare
Signed-off-by: SS-42 <noreply@incogni.to>
Signed-off-by: SS-42 <noreply@incogni.to>
1d1c718 to
d520a01
Compare
The truncation check `header_end + (int)comp_size > data_len` was bypassable for comp_size >= 2^31: the int cast turns the size negative, the sum drops below data_len, and the entry is accepted -- authorizing inflate to read up to ~4GB past the downloaded archive buffer during self-update ZIP extraction. Replace it with `header_end > data_len || comp_size > (uint32_t)(data_len - header_end)`, which is overflow-safe and strictly tighter. Regression guard cli_extract_binary_from_zip_rejects_truncated_deflate_size_over_int_max builds a 52-byte archive whose entry claims comp_size=0xFFFF0000 with a self-terminating DEFLATE stream: the old check admits it and extraction returns non-NULL (verified red pre-fix); the new check rejects it. Secondary cppcheck cleanups from the same review: - cli.c: extract zip_read_u16le/zip_read_u32le little-endian helpers (behavior-identical) and widen zip_extract_entry sizes to size_t with an explicit UINT_MAX guard before the zlib uInt narrowing. - cypher.c: drop unreachable IS NULL / IS NOT NULL null guards in eval_condition (resolve_condition_value result is checked earlier). Distilled from PR DeusData#784. Co-authored-by: SS-42 <noreply@incogni.to> Signed-off-by: Martin Vogel <martin.vogel.tech@gmail.com>
|
Thank you — every hunk here was a genuine fix, and the ZIP truncation change was much more than lint cleanup: the int-cast bypass for comp_size >= 2^31 was a real OOB-read in self-update extraction, and we've retitled it accordingly so it gets the visibility it deserves. Special thanks for amending the regression test to the 0xFFFF0000 case after the review — we verified it's a genuine red-first guard and carried it as-is. Merged as 010ac9b (PR #812) with you credited as co-author. Closing in favor of the distill — thanks again! |
Summary
Observed locally on macOS 26.5.2 (Darwin 25.5.0, arm64) with Cppcheck 2.21.0 and Homebrew clang-format 22.1.8.
Tests
header_end + (int)comp_size > data_lencheck restored,ASAN_OPTIONS=detect_leaks=0 ./build/c/test-runner clifailscli_extract_binary_from_zip_rejects_truncated_deflate_size_over_int_maxbecause the truncated deflated entry is acceptedscripts/lint.sh --cimake -f Makefile.cbm build/c/test-runner CC=clang CXX=clang++ASAN_OPTIONS=detect_leaks=0 ./build/c/test-runner cli cypher