diff --git a/src/read.rs b/src/read.rs index 61948941..7ab3be32 100644 --- a/src/read.rs +++ b/src/read.rs @@ -1361,16 +1361,50 @@ mod test { let reader = ZipArchive::new(Cursor::new(v)); assert!(reader.is_err()); } - + #[test] fn deflate64_index_out_of_bounds() -> std::io::Result<()> { - use std::io::Read; - let file: [u8; 815] = [80, 75, 1, 255, 5, 80, 75, 1, 2, 255, 255, 255, 153, 38, 0, 9, 0, 0, 0, 0, 0, 4, 6, 6, 80, 75, 5, 6, 0, 64, 6, 6, 75, 80, 0, 41, 0, 1, 0, 2, 80, 75, 5, 6, 0, 0, 0, 0, 1, 0, 0, 0, 35, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 148, 0, 0, 0, 0, 0, 0, 0, 0, 45, 0, 0, 0, 0, 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 186, 191, 191, 191, 191, 6, 5, 4, 80, 75, 0, 0, 5, 0, 35, 0, 0, 78, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 7, 5, 75, 80, 0, 1, 0, 1, 0, 9, 0, 9, 199, 191, 191, 191, 191, 191, 191, 191, 191, 191, 191, 191, 191, 191, 191, 253, 255, 0, 0, 117, 117, 75, 4, 6, 0, 1, 9, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 36, 7, 5, 75, 80, 0, 1, 0, 1, 0, 9, 0, 9, 191, 191, 191, 191, 191, 191, 191, 191, 191, 191, 191, 191, 191, 191, 191, 253, 255, 0, 0, 117, 117, 75, 5, 6, 0, 1, 0, 1, 0, 0, 0, 0, 191, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 191, 253, 255, 0, 0, 117, 117, 75, 5, 6, 0, 1, 80, 75, 3, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 129, 0, 0, 0, 1, 1, 75, 80, 0, 0, 0, 0, 0, 0, 2, 80, 75, 0, 0, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 6, 5, 65, 2, 0, 0, 0, 0, 0, 0, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 255, 255, 255, 255, 255, 255, 69, 69, 69, 69, 69, 69, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 42, 69, 69, 69, 69, 68, 69, 240, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 6, 5, 75, 80, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 62, 69, 69, 69, 69, 69, 69, 69, 1, 0, 0, 0, 0, 0, 0, 16, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 7, 5, 75, 80, 129, 129, 129, 129, 129, 48, 1, 0, 0, 0, 0, 0, 0, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 0, 0, 0, 0, 0, 69, 69, 69, 69, 69, 69, 61, 43, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 192, 192, 192, 192, 192, 192, 192, 192, 0, 35, 0, 0, 0, 0, 0, 0, 5, 6, 0, 0, 1, 0, 0, 0, 9, 4, 253, 255, 6, 5, 75, 80, 0, 0, 0, 2, 0, 132, 255, 255, 255, 107, 1, 0, 0, 0, 0, 69, 129, 129, 129, 129, 129, 129, 73, 129, 129, 129, 129, 129, 129, 129, 129, 7, 5, 75, 80, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 74, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 0, 0, 0, 0, 0, 69, 69, 69, 69, 69, 69, 61, 61, 1, 0, 0, 0, 0, 0, 0, 16, 61, 61, 61, 61, 255, 255, 255, 255, 255, 255, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 80, 191, 0]; + let file: [u8; 815] = [ + 80, 75, 1, 255, 5, 80, 75, 1, 2, 255, 255, 255, 153, 38, 0, 9, 0, 0, 0, 0, 0, 4, 6, 6, + 80, 75, 5, 6, 0, 64, 6, 6, 75, 80, 0, 41, 0, 1, 0, 2, 80, 75, 5, 6, 0, 0, 0, 0, 1, 0, + 0, 0, 35, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 148, 0, 0, 0, 0, 0, 0, 0, 0, 45, 0, 0, 0, 0, + 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 186, 191, 191, 191, 191, 6, 5, + 4, 80, 75, 0, 0, 5, 0, 35, 0, 0, 78, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 7, 5, + 75, 80, 0, 1, 0, 1, 0, 9, 0, 9, 199, 191, 191, 191, 191, 191, 191, 191, 191, 191, 191, + 191, 191, 191, 191, 253, 255, 0, 0, 117, 117, 75, 4, 6, 0, 1, 9, 1, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 36, 7, 5, 75, 80, 0, 1, 0, 1, 0, 9, 0, 9, 191, 191, 191, + 191, 191, 191, 191, 191, 191, 191, 191, 191, 191, 191, 191, 253, 255, 0, 0, 117, 117, + 75, 5, 6, 0, 1, 0, 1, 0, 0, 0, 0, 191, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 191, 253, 255, 0, 0, 117, 117, 75, 5, 6, 0, 1, 80, 75, 3, 4, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 129, 0, 0, 0, 1, 1, 75, 80, 0, 0, 0, 0, 0, 0, 2, 80, 75, 0, 0, + 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 6, 5, 65, 2, 0, 0, 0, 0, 0, + 0, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, + 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, + 69, 69, 69, 69, 69, 255, 255, 255, 255, 255, 255, 69, 69, 69, 69, 69, 69, 61, 61, 61, + 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 42, 42, 42, 42, 42, 42, 42, + 42, 42, 42, 42, 42, 42, 42, 69, 69, 69, 69, 68, 69, 240, 69, 69, 69, 69, 69, 69, 69, + 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 6, 5, 75, 80, 69, 69, 69, 69, 69, 69, 69, 69, + 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, + 69, 69, 69, 69, 62, 69, 69, 69, 69, 69, 69, 69, 1, 0, 0, 0, 0, 0, 0, 16, 69, 69, 69, + 69, 69, 69, 69, 69, 69, 69, 69, 69, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, + 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, + 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 236, 129, + 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 7, 5, 75, 80, 129, + 129, 129, 129, 129, 48, 1, 0, 0, 0, 0, 0, 0, 129, 129, 129, 129, 129, 129, 129, 129, + 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 0, + 0, 0, 0, 0, 69, 69, 69, 69, 69, 69, 61, 43, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, + 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, + 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 69, 192, 192, 192, 192, + 192, 192, 192, 192, 0, 35, 0, 0, 0, 0, 0, 0, 5, 6, 0, 0, 1, 0, 0, 0, 9, 4, 253, 255, 6, + 5, 75, 80, 0, 0, 0, 2, 0, 132, 255, 255, 255, 107, 1, 0, 0, 0, 0, 69, 129, 129, 129, + 129, 129, 129, 73, 129, 129, 129, 129, 129, 129, 129, 129, 7, 5, 75, 80, 129, 129, 129, + 129, 129, 129, 129, 129, 129, 129, 129, 129, 74, 129, 129, 129, 129, 129, 129, 129, + 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 129, 0, 0, 0, 0, 0, 69, 69, 69, + 69, 69, 69, 61, 61, 1, 0, 0, 0, 0, 0, 0, 16, 61, 61, 61, 61, 255, 255, 255, 255, 255, + 255, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 61, 80, 191, 0, + ]; let mut reader = ZipArchive::new(Cursor::new(file))?; - for i in 0..reader.len() { - let mut file = reader.by_index(i)?.take(1024); - std::io::copy(&mut file, &mut std::io::sink())?; - } + std::io::copy(&mut reader.by_index(0)?, &mut std::io::sink()).expect_err("Invalid file"); Ok(()) } }