From 0c1b894b69ff1261f14bad616d8a4ddada186a0d Mon Sep 17 00:00:00 2001 From: Piotr Jastrzebski Date: Fri, 15 Aug 2014 12:53:00 +0100 Subject: Reject zip archives with entry names containing \0. There should never be a need of an entry name with \0 character. Bug: 16162465 (cherry picked from commit 78271ba97b5d867e3597b7fc2257dd1bbd513b05) Change-Id: I68c72fb45e8ec70eb125cfc887488bc18ba5447d --- libziparchive/zip_archive.cc | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'libziparchive') diff --git a/libziparchive/zip_archive.cc b/libziparchive/zip_archive.cc index 6ec8f0d34..87dac0e74 100644 --- a/libziparchive/zip_archive.cc +++ b/libziparchive/zip_archive.cc @@ -638,9 +638,15 @@ static int32_t ParseZipArchive(ZipArchive* archive) { const uint16_t file_name_length = cdr->file_name_length; const uint16_t extra_length = cdr->extra_field_length; const uint16_t comment_length = cdr->comment_length; + const char* file_name = reinterpret_cast(ptr + sizeof(CentralDirectoryRecord)); + + /* check that file name doesn't contain \0 character */ + if (memchr(file_name, 0, file_name_length) != NULL) { + ALOGW("Zip: entry name can't contain \\0 character"); + goto bail; + } /* add the CDE filename to the hash table */ - const char* file_name = reinterpret_cast(ptr + sizeof(CentralDirectoryRecord)); const int add_result = AddToHash(archive->hash_table, archive->hash_table_size, file_name, file_name_length); if (add_result) { -- cgit v1.2.2-2-gfde8