diff options
| author | Caolán McNamara <caolanm@redhat.com> | 2017-11-27 16:29:37 +0000 |
|---|---|---|
| committer | Caolán McNamara <caolanm@redhat.com> | 2017-11-28 17:58:38 +0100 |
| commit | 2867c32c99b85e42b018266988dc8f7796c1fc77 (patch) | |
| tree | ffd117e990d268bf91fdb9d19494c44a36b770b0 /package | |
| parent | ofz: check sprm bounds (diff) | |
| download | core-2867c32c99b85e42b018266988dc8f7796c1fc77.tar.gz core-2867c32c99b85e42b018266988dc8f7796c1fc77.zip | |
keep track of available data
Change-Id: Idc54cdef0f3a4355a7e26f25cdc5b50d65d9d583
Reviewed-on: https://gerrit.libreoffice.org/45353
Reviewed-by: Michael Stahl <mstahl@redhat.com>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Caolán McNamara <caolanm@redhat.com>
Diffstat (limited to 'package')
| -rw-r--r-- | package/source/zipapi/MemoryByteGrabber.hxx | 2 | ||||
| -rw-r--r-- | package/source/zipapi/ZipFile.cxx | 3 |
2 files changed, 5 insertions, 0 deletions
diff --git a/package/source/zipapi/MemoryByteGrabber.hxx b/package/source/zipapi/MemoryByteGrabber.hxx index 1366eea478b0..5417406db379 100644 --- a/package/source/zipapi/MemoryByteGrabber.hxx +++ b/package/source/zipapi/MemoryByteGrabber.hxx @@ -36,6 +36,8 @@ public: } const sal_Int8 * getCurrentPos () { return mpBuffer + mnCurrent; } + sal_Int32 remainingSize() const { return mnEnd - mnCurrent; } + // XInputStream chained /// @throws css::io::NotConnectedException diff --git a/package/source/zipapi/ZipFile.cxx b/package/source/zipapi/ZipFile.cxx index b7cdf7289d4c..61f7ea1dacc1 100644 --- a/package/source/zipapi/ZipFile.cxx +++ b/package/source/zipapi/ZipFile.cxx @@ -934,6 +934,9 @@ sal_Int32 ZipFile::readCEN() if ( aEntry.nExtraLen < 0 ) throw ZipException("unexpected extra header info length" ); + if (aEntry.nPathLen > aMemGrabber.remainingSize()) + throw ZipException("name too long"); + // read always in UTF8, some tools seem not to set UTF8 bit aEntry.sPath = OUString::intern ( reinterpret_cast<char const *>(aMemGrabber.getCurrentPos()), aEntry.nPathLen, |