From c88d3ef49a95f28f98c7d737e8d16e85bf7793b4 Mon Sep 17 00:00:00 2001
From: Emmanuel Bourg <ebourg@apache.org>
Date: Sat, 7 Oct 2023 13:28:11 +0200
Subject: [PATCH] Fixed the parsing of invalid ZIP64 extended information extra
 fields

---
 .../appx/Zip64ExtendedInfoExtraField.java     |  27 +++++++++++-------
 ...ticodeAppxSignerFuzzer-6066122517250048.gz | Bin 0 -> 229 bytes
 2 files changed, 16 insertions(+), 11 deletions(-)
 create mode 100644 jsign-core/src/test/resources/fuzzer/clusterfuzz-testcase-minimized-AuthenticodeAppxSignerFuzzer-6066122517250048.gz

diff --git a/jsign-core/src/main/java/net/jsign/appx/Zip64ExtendedInfoExtraField.java b/jsign-core/src/main/java/net/jsign/appx/Zip64ExtendedInfoExtraField.java
index 91da2686..28687a9c 100644
--- a/jsign-core/src/main/java/net/jsign/appx/Zip64ExtendedInfoExtraField.java
+++ b/jsign-core/src/main/java/net/jsign/appx/Zip64ExtendedInfoExtraField.java
@@ -17,6 +17,7 @@
 package net.jsign.appx;
 
 import java.io.IOException;
+import java.nio.BufferUnderflowException;
 import java.nio.ByteBuffer;
 
 import static java.nio.ByteOrder.*;
@@ -62,17 +63,21 @@ public Zip64ExtendedInfoExtraField(long uncompressedSize, long compressedSize, l
     @Override
     protected void parse() throws IOException {
         ByteBuffer buffer = ByteBuffer.wrap(data).order(LITTLE_ENDIAN);
-        if (uncompressedSize != -1) {
-            uncompressedSize = buffer.getLong();
-        }
-        if (compressedSize != -1) {
-            compressedSize = buffer.getLong();
-        }
-        if (localHeaderOffset != -1) {
-            localHeaderOffset = buffer.getLong();
-        }
-        if (diskNumberStart != -1) {
-            diskNumberStart = buffer.getInt();
+        try {
+            if (uncompressedSize != -1) {
+                uncompressedSize = buffer.getLong();
+            }
+            if (compressedSize != -1) {
+                compressedSize = buffer.getLong();
+            }
+            if (localHeaderOffset != -1) {
+                localHeaderOffset = buffer.getLong();
+            }
+            if (diskNumberStart != -1) {
+                diskNumberStart = buffer.getInt();
+            }
+        } catch (BufferUnderflowException e) {
+            throw new IOException("Invalid ZIP64 extended information extra field", e);
         }
     }
 
diff --git a/jsign-core/src/test/resources/fuzzer/clusterfuzz-testcase-minimized-AuthenticodeAppxSignerFuzzer-6066122517250048.gz b/jsign-core/src/test/resources/fuzzer/clusterfuzz-testcase-minimized-AuthenticodeAppxSignerFuzzer-6066122517250048.gz
new file mode 100644
index 0000000000000000000000000000000000000000..89c58e240ccbc368d37c0c3d9efe0dae11790efa
GIT binary patch
literal 229
zcmV<B02==viwFp?Jt1WR0Ap-*b97~LW_5acEp%mbbYo$2Wi4%KZfR|4dSzrSL3MO!
zWo~q7V{c?-L2z(*Q)y>zWpYM!dU|DYEjBPVHZd|XH8D3bH83zVH~<UqW@LI88Q}dt
zfI*Q#E5MtX1<L*}{a=W|ikX2C2pJguLqTv!VsUs;Vo7R|OMY_c%>Up2Gb%GMfDB;>
z2vGe0&^z**W`F@B6VnDo28Mq?jrD>I(oi!PWEmLvfE3V-BA24Xa*zqRsd**FOdv`B
fq%5F0tZYE027@)DH3J6=0|Wp7_oWWYqW}N^ND5fK

literal 0
HcmV?d00001