From 34d8fba10054c150be1be7d492b6b3d9c7a659da Mon Sep 17 00:00:00 2001 From: Alex Rebert Date: Wed, 5 Jan 2022 10:01:46 -0500 Subject: [PATCH] Fix stack overflow in ZipArchiveIOSystem::MapArchive The function allocates a filename buffer of 256, and copies the filename extracted from the zip file into it. However, a filename might be larger than 256 characters, in which case the function would write out of bounds. This commit skips any file whose name is larger than 256 to avoid the overflow. Fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38870 Fix #4228 --- code/Common/ZipArchiveIOSystem.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code/Common/ZipArchiveIOSystem.cpp b/code/Common/ZipArchiveIOSystem.cpp index 7df51b8aa..03ff6ce81 100644 --- a/code/Common/ZipArchiveIOSystem.cpp +++ b/code/Common/ZipArchiveIOSystem.cpp @@ -372,7 +372,7 @@ void ZipArchiveIOSystem::Implement::MapArchive() { unz_file_info fileInfo; if (unzGetCurrentFileInfo(m_ZipFileHandle, &fileInfo, filename, FileNameSize, nullptr, 0, nullptr, 0) == UNZ_OK) { - if (fileInfo.uncompressed_size != 0) { + if (fileInfo.uncompressed_size != 0 && fileInfo.size_filename <= FileNameSize) { std::string filename_string(filename, fileInfo.size_filename); SimplifyFilename(filename_string); m_ArchiveMap.emplace(filename_string, ZipFileInfo(m_ZipFileHandle, fileInfo.uncompressed_size));