Reject overflows of zip header fields in minizip.

This checks the lengths of the file name, extra field, and comment that would be put in the zip headers, and rejects them if they are too long. They are each limited to 65535 bytes in length by the zip format. This also avoids possible buffer overflows if the provided fields are too long.
author: Hans Wennborg <hans@chromium.org> 2023-08-18 11:05:33 +0200
committer: Mark Adler <madler@alumni.caltech.edu> 2023-08-19 11:56:12 -0700
commit: 73331a6a0481067628f065ffe87bb1d8f787d10c (patch)
tree: 69e8314d5c83a11107efe6a0ccc7adf6a83310de
parent: 726e18943df8c3bd75e6fa91f2ff24ba956a4f95 (diff)
download: zlib-73331a6a0481067628f065ffe87bb1d8f787d10c.tar.gz
zlib-73331a6a0481067628f065ffe87bb1d8f787d10c.tar.bz2
zlib-73331a6a0481067628f065ffe87bb1d8f787d10c.zip
1 files changed, 11 insertions, 0 deletions
diff --git a/contrib/minizip/zip.c b/contrib/minizip/zip.c
index 3d3d4ca..0446109 100644
--- a/contrib/minizip/zip.c
+++ b/contrib/minizip/zip.c
@@ -1043,6 +1043,17 @@ extern int ZEXPORT zipOpenNewFileInZip4_64(zipFile file, const char* filename, c
      return ZIP_PARAMERROR;
 #endif
+    // The filename and comment length must fit in 16 bits.
+    if ((filename!=NULL) && (strlen(filename)>0xffff))
+        return ZIP_PARAMERROR;
+    if ((comment!=NULL) && (strlen(comment)>0xffff))
+        return ZIP_PARAMERROR;
+    // The extra field length must fit in 16 bits. If the member also requires
+    // a Zip64 extra block, that will also need to fit within that 16-bit
+    // length, but that will be checked for later.
+    if ((size_extrafield_local>0xffff) || (size_extrafield_global>0xffff))
+        return ZIP_PARAMERROR;
    zi = (zip64_internal*)file;
    if (zi->in_opened_file_inzip == 1)
author	Hans Wennborg <hans@chromium.org>	2023-08-18 11:05:33 +0200
committer	Mark Adler <madler@alumni.caltech.edu>	2023-08-19 11:56:12 -0700
commit	73331a6a0481067628f065ffe87bb1d8f787d10c (patch)
tree	69e8314d5c83a11107efe6a0ccc7adf6a83310de
parent	726e18943df8c3bd75e6fa91f2ff24ba956a4f95 (diff)
download	zlib-73331a6a0481067628f065ffe87bb1d8f787d10c.tar.gz zlib-73331a6a0481067628f065ffe87bb1d8f787d10c.tar.bz2 zlib-73331a6a0481067628f065ffe87bb1d8f787d10c.zip

diff --git a/contrib/minizip/zip.c b/contrib/minizip/zip.c index 3d3d4ca..0446109 100644 --- a/contrib/minizip/zip.c +++ b/contrib/minizip/zip.c
@@ -1043,6 +1043,17 @@ extern int ZEXPORT zipOpenNewFileInZip4_64(zipFile file, const char* filename, c
1043	return ZIP_PARAMERROR;	1043	return ZIP_PARAMERROR;
1044	#endif	1044	#endif
1045		1045
		1046	// The filename and comment length must fit in 16 bits.
		1047	if ((filename!=NULL) && (strlen(filename)>0xffff))
		1048	return ZIP_PARAMERROR;
		1049	if ((comment!=NULL) && (strlen(comment)>0xffff))
		1050	return ZIP_PARAMERROR;
		1051	// The extra field length must fit in 16 bits. If the member also requires
		1052	// a Zip64 extra block, that will also need to fit within that 16-bit
		1053	// length, but that will be checked for later.
		1054	if ((size_extrafield_local>0xffff) \|\| (size_extrafield_global>0xffff))
		1055	return ZIP_PARAMERROR;
		1056
1046	zi = (zip64_internal*)file;	1057	zi = (zip64_internal*)file;
1047		1058
1048	if (zi->in_opened_file_inzip == 1)	1059	if (zi->in_opened_file_inzip == 1)