diff options
| -rw-r--r-- | archival/unzip.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/archival/unzip.c b/archival/unzip.c index d5bca08d4..b618c3617 100644 --- a/archival/unzip.c +++ b/archival/unzip.c | |||
| @@ -318,6 +318,12 @@ static uint32_t read_next_cdf(uint32_t cdf_offset, cdf_header_t *cdf) | |||
| 318 | }; | 318 | }; |
| 319 | #endif | 319 | #endif |
| 320 | 320 | ||
| 321 | static void die_if_bad_fnamesize(unsigned sz) | ||
| 322 | { | ||
| 323 | if (sz > 0xfff) /* more than 4k?! no funny business please */ | ||
| 324 | bb_error_msg_and_die("bad archive"); | ||
| 325 | } | ||
| 326 | |||
| 321 | static void unzip_skip(off_t skip) | 327 | static void unzip_skip(off_t skip) |
| 322 | { | 328 | { |
| 323 | if (skip != 0) | 329 | if (skip != 0) |
| @@ -340,8 +346,7 @@ static void unzip_extract_symlink(zip_header_t *zip, const char *dst_fn) | |||
| 340 | { | 346 | { |
| 341 | char *target; | 347 | char *target; |
| 342 | 348 | ||
| 343 | if (zip->fmt.ucmpsize > 0xfff) /* no funny business please */ | 349 | die_if_bad_fnamesize(zip->fmt.ucmpsize); |
| 344 | bb_error_msg_and_die("bad archive"); | ||
| 345 | 350 | ||
| 346 | if (zip->fmt.method == 0) { | 351 | if (zip->fmt.method == 0) { |
| 347 | /* Method 0 - stored (not compressed) */ | 352 | /* Method 0 - stored (not compressed) */ |
| @@ -784,6 +789,7 @@ int unzip_main(int argc, char **argv) | |||
| 784 | 789 | ||
| 785 | /* Read filename */ | 790 | /* Read filename */ |
| 786 | free(dst_fn); | 791 | free(dst_fn); |
| 792 | die_if_bad_fnamesize(zip.fmt.filename_len); | ||
| 787 | dst_fn = xzalloc(zip.fmt.filename_len + 1); | 793 | dst_fn = xzalloc(zip.fmt.filename_len + 1); |
| 788 | xread(zip_fd, dst_fn, zip.fmt.filename_len); | 794 | xread(zip_fd, dst_fn, zip.fmt.filename_len); |
| 789 | /* Skip extra header bytes */ | 795 | /* Skip extra header bytes */ |