Skip to content

Commit

Permalink
Reject overflows of zip header fields in minizip.
Browse files Browse the repository at this point in the history
This checks the lengths of the file name, extra field, and comment
that would be put in the zip headers, and rejects them if they are
too long. They are each limited to 65535 bytes in length by the zip
format. This also avoids possible buffer overflows if the provided
fields are too long.
  • Loading branch information
zmodem authored and madler committed Aug 19, 2023
1 parent 726e189 commit 73331a6
Showing 1 changed file with 11 additions and 0 deletions.
11 changes: 11 additions & 0 deletions contrib/minizip/zip.c
Original file line number Diff line number Diff line change
Expand Up @@ -1043,6 +1043,17 @@ extern int ZEXPORT zipOpenNewFileInZip4_64(zipFile file, const char* filename, c
return ZIP_PARAMERROR;
#endif

// The filename and comment length must fit in 16 bits.
if ((filename!=NULL) && (strlen(filename)>0xffff))

This comment has been minimized.

Copy link
@irwir

irwir Aug 19, 2023

Alwasy true here: (filename!=NULL)
But the check at lines 1035-1037 could be removed and this line changed to
if ((filename==NULL) || (strlen(filename)>0xffff))
And comment text above this line adjusted.

This comment has been minimized.

Copy link
@irwir

irwir Aug 19, 2023

Fixed suggested code change in previous message.

This comment has been minimized.

Copy link
@madler

madler Aug 20, 2023

Owner

You're confusing file with filename.

This comment has been minimized.

Copy link
@irwir

irwir Aug 20, 2023

RIght. Sorry for the trouble.

return ZIP_PARAMERROR;
if ((comment!=NULL) && (strlen(comment)>0xffff))
return ZIP_PARAMERROR;
// The extra field length must fit in 16 bits. If the member also requires
// a Zip64 extra block, that will also need to fit within that 16-bit
// length, but that will be checked for later.
if ((size_extrafield_local>0xffff) || (size_extrafield_global>0xffff))
return ZIP_PARAMERROR;

zi = (zip64_internal*)file;

if (zi->in_opened_file_inzip == 1)
Expand Down

0 comments on commit 73331a6

Please # to comment.