cpl_zipOpenNewFileInZip3(): validate length of filename, comment and …

…extrafields (CVE-2023-45853) Backport of madler/zlib#843
OSGeo · Nov 4, 2023 · 725070c · 725070c
1 parent 6e2afd1
commit 725070c
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/port/cpl_minizip_zip.cpp b/port/cpl_minizip_zip.cpp
@@ -1134,6 +1134,17 @@ extern int ZEXPORT cpl_zipOpenNewFileInZip3(
     if (filename == nullptr)
         filename = "-";
 
+    // The filename and comment length must fit in 16 bits.
+    if ((filename != nullptr) && (strlen(filename) > 0xffff))
+        return ZIP_PARAMERROR;
+    if ((comment != nullptr) && (strlen(comment) > 0xffff))
+        return ZIP_PARAMERROR;
+    // The extra field length must fit in 16 bits. If the member also requires
+    // a Zip64 extra block, that will also need to fit within that 16-bit
+    // length, but that will be checked for later.
+    if ((size_extrafield_local > 0xffff) || (size_extrafield_global > 0xffff))
+        return ZIP_PARAMERROR;
+
     if (comment == nullptr)
         size_comment = 0;
     else