unzip: fix CVE-2014-9636 patch

Close #6544, fixes #6543.
vcunat: no security impact; just fixes false rejections of some rarer
inputs - a problem introduced by the CVE patch.

1 files changed, 5 insertions, 4 deletions

diff --git a/pkgs/tools/archivers/unzip/CVE-2014-9636.diff b/pkgs/tools/archivers/unzip/CVE-2014-9636.diff
index aeaf3e70de6..d4c7f752975 100644
--- a/pkgs/tools/archivers/unzip/CVE-2014-9636.diff
+++ b/pkgs/tools/archivers/unzip/CVE-2014-9636.diff
@@ -1,6 +1,6 @@
-From a9bfab5b52d08879bbc5e0991684b700127ddcff Mon Sep 17 00:00:00 2001
+From 190040ebfcf5395a6ccedede2cc9343d34f0a108 Mon Sep 17 00:00:00 2001
 From: mancha <mancha1 AT zoho DOT com>
-Date: Mon, 3 Nov 2014
+Date: Wed, 11 Feb 2015
 Subject: Info-ZIP UnZip buffer overflow
 
 By carefully crafting a corrupt ZIP archive with "extra fields" that
@@ -26,12 +26,13 @@ This patch ensures that when extra fields use STORED mode, the
  
      if (compr_offset < 4)                /* field is not compressed: */
          return PK_OK;                    /* do nothing and signal OK */
-@@ -2226,6 +2227,12 @@ static int test_compr_eb(__G__ eb, eb_si
+@@ -2226,6 +2227,13 @@ static int test_compr_eb(__G__ eb, eb_si
           eb_size <= (compr_offset + EB_CMPRHEADLEN)))
          return IZ_EF_TRUNC;               /* no compressed data! */
  
 +    method = makeword(eb + (EB_HEADSIZE + compr_offset));
-+    if ((method == STORED) && (eb_size - compr_offset != eb_ucsize))
++    if ((method == STORED) &&
++        (eb_size - compr_offset - EB_CMPRHEADLEN != eb_ucsize))
 +	return PK_ERR;			  /* compressed & uncompressed
 +					   * should match in STORED
 +					   * method */