diff --git a/thirdparty/README.md b/thirdparty/README.md index 03aa9d72324..f3304fb6720 100644 --- a/thirdparty/README.md +++ b/thirdparty/README.md @@ -341,6 +341,8 @@ Important: Some files have Godot-made changes for use in core/io. They are marked with `/* GODOT start */` and `/* GODOT end */` comments and a patch is provided in the `patches` folder. +Another patch is included to fix CVE-2023-45853. + ## misc diff --git a/thirdparty/minizip/patches/CVE-2023-45853.patch b/thirdparty/minizip/patches/CVE-2023-45853.patch new file mode 100644 index 00000000000..784c57766f2 --- /dev/null +++ b/thirdparty/minizip/patches/CVE-2023-45853.patch @@ -0,0 +1,36 @@ +From 73331a6a0481067628f065ffe87bb1d8f787d10c Mon Sep 17 00:00:00 2001 +From: Hans Wennborg +Date: Fri, 18 Aug 2023 11:05:33 +0200 +Subject: [PATCH] Reject overflows of zip header fields in minizip. + +This checks the lengths of the file name, extra field, and comment +that would be put in the zip headers, and rejects them if they are +too long. They are each limited to 65535 bytes in length by the zip +format. This also avoids possible buffer overflows if the provided +fields are too long. +--- + contrib/minizip/zip.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/contrib/minizip/zip.c b/contrib/minizip/zip.c +index 3d3d4cadd..0446109b2 100644 +--- a/contrib/minizip/zip.c ++++ b/contrib/minizip/zip.c +@@ -1043,6 +1043,17 @@ extern int ZEXPORT zipOpenNewFileInZip4_64(zipFile file, const char* filename, c + return ZIP_PARAMERROR; + #endif + ++ // The filename and comment length must fit in 16 bits. ++ if ((filename!=NULL) && (strlen(filename)>0xffff)) ++ return ZIP_PARAMERROR; ++ if ((comment!=NULL) && (strlen(comment)>0xffff)) ++ return ZIP_PARAMERROR; ++ // The extra field length must fit in 16 bits. If the member also requires ++ // a Zip64 extra block, that will also need to fit within that 16-bit ++ // length, but that will be checked for later. ++ if ((size_extrafield_local>0xffff) || (size_extrafield_global>0xffff)) ++ return ZIP_PARAMERROR; ++ + zi = (zip64_internal*)file; + + if (zi->in_opened_file_inzip == 1) diff --git a/thirdparty/minizip/zip.c b/thirdparty/minizip/zip.c index e859f9e42f1..d76c643dfbd 100644 --- a/thirdparty/minizip/zip.c +++ b/thirdparty/minizip/zip.c @@ -1045,6 +1045,17 @@ extern int ZEXPORT zipOpenNewFileInZip4_64(zipFile file, const char* filename, c return ZIP_PARAMERROR; #endif + // The filename and comment length must fit in 16 bits. + if ((filename!=NULL) && (strlen(filename)>0xffff)) + return ZIP_PARAMERROR; + if ((comment!=NULL) && (strlen(comment)>0xffff)) + return ZIP_PARAMERROR; + // The extra field length must fit in 16 bits. If the member also requires + // a Zip64 extra block, that will also need to fit within that 16-bit + // length, but that will be checked for later. + if ((size_extrafield_local>0xffff) || (size_extrafield_global>0xffff)) + return ZIP_PARAMERROR; + zi = (zip64_internal*)file; if (zi->in_opened_file_inzip == 1)