v4games
/
assimp
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix stack overflow in ZipArchiveIOSystem::MapArchive 

The function allocates a filename buffer of 256, and copies the filename
extracted from the zip file into it. However, a filename might be larger
than 256 characters, in which case the function would write out of bounds.

This commit skips any file whose name is larger than 256 to avoid the
overflow.

Fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38870
Fix #4228
pull/4324/head
Alex Rebert 2022-01-05 10:01:46 -05:00
parent 1d815fc23e
commit 34d8fba100
No known key found for this signature in database
GPG Key ID: E082090D746F1A81
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
code/Common/ZipArchiveIOSystem.cpp
View File

@ -372,7 +372,7 @@ void ZipArchiveIOSystem::Implement::MapArchive() {
unz_file_info fileInfo; unz_file_info fileInfo;
if (unzGetCurrentFileInfo(m_ZipFileHandle, &fileInfo, filename, FileNameSize, nullptr, 0, nullptr, 0) == UNZ_OK) { if (unzGetCurrentFileInfo(m_ZipFileHandle, &fileInfo, filename, FileNameSize, nullptr, 0, nullptr, 0) == UNZ_OK) {
if (fileInfo.uncompressed_size != 0) { if (fileInfo.uncompressed_size != 0 && fileInfo.size_filename <= FileNameSize) {
std::string filename_string(filename, fileInfo.size_filename); std::string filename_string(filename, fileInfo.size_filename);
SimplifyFilename(filename_string); SimplifyFilename(filename_string);
m_ArchiveMap.emplace(filename_string, ZipFileInfo(m_ZipFileHandle, fileInfo.uncompressed_size)); m_ArchiveMap.emplace(filename_string, ZipFileInfo(m_ZipFileHandle, fileInfo.uncompressed_size));