From: Robert Luberda <robert@debian.org>
Date: Sun, 15 May 2016 11:15:02 +0200
Subject: CVE-2016-2334
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Patch for the Heap buffer overflow in HFS handler vulnerability
(CVE-2016-2334) as posted by İsmail Dönmez to
https://sourceforge.net/p/p7zip/discussion/383043/thread/9d0fb86b/#1dba
---
 CPP/7zip/Archive/HfsHandler.cpp | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/CPP/7zip/Archive/HfsHandler.cpp b/CPP/7zip/Archive/HfsHandler.cpp
index 8459280..47b8303 100644
--- CPP/7zip/Archive/HfsHandler.cpp
+++ CPP/7zip/Archive/HfsHandler.cpp
@@ -987,7 +987,9 @@ HRESULT CDatabase::LoadCatalog(const CFork &fork, const CObjectVector<CIdExtents
       item.GroupID = Get32(r + 0x24);
       item.AdminFlags = r[0x28];
       item.OwnerFlags = r[0x29];
+      */
       item.FileMode = Get16(r + 0x2A);
+      /*
       item.special.iNodeNum = Get16(r + 0x2C); // or .linkCount
       item.FileType = Get32(r + 0x30);
       item.FileCreator = Get32(r + 0x34);
@@ -1572,6 +1574,9 @@ HRESULT CHandler::ExtractZlibFile(
 
     UInt32 size = GetUi32(tableBuf + i * 8 + 4);
 
+    if (size > buf.Size() || size > kCompressionBlockSize + 1)
+        return S_FALSE;
+
     RINOK(ReadStream_FALSE(inStream, buf, size));
 
     if ((buf[0] & 0xF) == 0xF)