p7zip: arbitrary code execution

• CVE-2016-2334 (arbitrary code execution)

An exploitable heap overflow vulnerability exists in the
NArchive::NHfs::CHandler::ExtractZlibFile method functionality of 7zip
that can lead to arbitrary code execution.
Before decompression, ExtractZlibFile method read block size and its
offset from file and after that read block data into static size buffer
"buf". Because there is no check whether size of block is bigger than
size of "buf", malformed size of block exceeding mentioned "buf" size
will cause buffer overflow and heap corruption.

• CVE-2016-2335 (arbitrary code execution)

An out of bound read vulnerability exists in the
CInArchive::ReadFileItem method functionality of 7zip for handling UDF
files that can lead to denial of service or code execution.
Because volumes can have more than one partition map their objects are
keep in object vector. To start looking for item, method tries to
achieve proper partition object using to this mentioned partition maps
object vector and "PartitionRef" field from Long Allocation Descriptor.
Lack of checking whether "PartitionRef" field is bigger than available
amount of partition map objects cause read out of bounds and can lead
in some circumstances to arbitrary code execution.