Skip to content

Commit

Permalink
Reject overflows of zip header fields in minizip compat
Browse files Browse the repository at this point in the history 
This checks the lengths of the file name, and comment
that would be put in the zip headers, and rejects them if they are
too long. They are each limited to 65535 bytes in length by the zip
format. This also avoids possible buffer overflows if the provided
fields are too long.

See #736.
  • Loading branch information
@zmodem @nmoinvaz
zmodem authored and nmoinvaz committed Dec 6, 2023
1 parent ef3ef9a commit 2c2d6e5
Showing 1 changed file with 6 additions and 0 deletions.
6 changes: 6 additions & 0 deletions mz_compat.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -463,6 +463,12 @@ int zipOpenNewFileInZip5(zipFile file, const char *filename, const zip_fileinfo
if (!compat)
return ZIP_PARAMERROR;

// The filename and comment length must fit in 16 bits.
if (filename && strlen(filename) > 0xffff)
return ZIP_PARAMERROR;
if (comment && strlen(comment) > 0xffff)
return ZIP_PARAMERROR;

memset(&file_info, 0, sizeof(file_info));

if (zipfi) {
Expand Down

0 comments on commit 2c2d6e5

Please sign in to comment.