Fix 698540: Check name, comment and meta size field signs.

author: Tor Andersson <tor.andersson@artifex.com> 2017-09-19 16:33:38 +0200
committer: Tor Andersson <tor.andersson@artifex.com> 2017-09-19 17:19:41 +0200
commit: 0f0fbc07d9be31f5e83ec5328d7311fdfd8328b1 (patch)
tree: 13c7d774b24aee3f66d1fc7f19136c0f3ced066a /source/fitz/unzip.c
parent: ab1a420613dec93c686acbee2c165274e922f82a (diff)
download: mupdf-0f0fbc07d9be31f5e83ec5328d7311fdfd8328b1.tar.xz
1 files changed, 3 insertions, 0 deletions
diff --git a/source/fitz/unzip.c b/source/fitz/unzip.c
index f2d4f322..0bcce0fd 100644
--- a/source/fitz/unzip.c
+++ b/source/fitz/unzip.c
@@ -141,6 +141,9 @@ static void read_zip_dir_imp(fz_context *ctx, fz_zip_archive *zip, int start_off
 		(void) fz_read_int32_le(ctx, file); /* ext file atts */
 		offset = fz_read_int32_le(ctx, file);
 
+		if (namesize < 0 || metasize < 0 || commentsize < 0)
+			fz_throw(ctx, FZ_ERROR_GENERIC, "invalid size in zip entry");
+
 		name = fz_malloc(ctx, namesize + 1);
 		n = fz_read(ctx, file, (unsigned char*)name, namesize);
 		if (n < (size_t)namesize)
author	Tor Andersson <tor.andersson@artifex.com>	2017-09-19 16:33:38 +0200
committer	Tor Andersson <tor.andersson@artifex.com>	2017-09-19 17:19:41 +0200
commit	0f0fbc07d9be31f5e83ec5328d7311fdfd8328b1 (patch)
tree	13c7d774b24aee3f66d1fc7f19136c0f3ced066a /source/fitz/unzip.c
parent	ab1a420613dec93c686acbee2c165274e922f82a (diff)
download	mupdf-0f0fbc07d9be31f5e83ec5328d7311fdfd8328b1.tar.xz