summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCaolán McNamara <caolanm@redhat.com>2017-11-27 16:29:37 +0000
committerThorsten Behrens <Thorsten.Behrens@CIB.de>2018-06-01 14:26:52 +0200
commit4b63f21d3933dcdbff3343e1a6daa97eb17d47f2 (patch)
tree8c76ac910f4b4d5f9a9beff7fb9a74c2136268d4
parente32d481df19d6b93d9d66eea36ce314d3f5080c6 (diff)
keep track of available data
Change-Id: Idc54cdef0f3a4355a7e26f25cdc5b50d65d9d583 Reviewed-on: https://gerrit.libreoffice.org/45354 Reviewed-by: Michael Stahl <mstahl@redhat.com> Tested-by: Jenkins <ci@libreoffice.org> (cherry picked from commit 35376a21e6bd3d7eede07b1e8f359f728b5c54c9)
Diffstat
-rw-r--r--package/source/zipapi/MemoryByteGrabber.hxx2
-rw-r--r--package/source/zipapi/ZipFile.cxx3
2 files changed, 5 insertions, 0 deletions
diff --git a/package/source/zipapi/MemoryByteGrabber.hxx b/package/source/zipapi/MemoryByteGrabber.hxx
index 2beb8f5eccb7..e3326e2b9d33 100644
--- a/package/source/zipapi/MemoryByteGrabber.hxx
+++ b/package/source/zipapi/MemoryByteGrabber.hxx
@@ -39,6 +39,8 @@ public:
}
const sal_Int8 * getCurrentPos () { return mpBuffer + mnCurrent; }
+ sal_Int32 remainingSize() const { return mnEnd - mnCurrent; }
+
// XInputStream chained
void SAL_CALL skipBytes( sal_Int32 nBytesToSkip )
diff --git a/package/source/zipapi/ZipFile.cxx b/package/source/zipapi/ZipFile.cxx
index 8153aee7e0fd..037e08e2eaad 100644
--- a/package/source/zipapi/ZipFile.cxx
+++ b/package/source/zipapi/ZipFile.cxx
@@ -946,6 +946,9 @@ sal_Int32 ZipFile::readCEN()
if ( aEntry.nExtraLen < 0 )
throw ZipException("unexpected extra header info length" );
+ if (aEntry.nPathLen > aMemGrabber.remainingSize())
+ throw ZipException("name too long");
+
// read always in UTF8, some tools seem not to set UTF8 bit
aEntry.sPath = OUString::intern ( reinterpret_cast<char const *>(aMemGrabber.getCurrentPos()),
aEntry.nPathLen,
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-21 19:26:59 +0000