[Libreoffice-commits] core.git: Branch 'libreoffice-5-4' - package/source

[Caolán McNamara]

 package/source/zipapi/MemoryByteGrabber.hxx |    2 ++
 package/source/zipapi/ZipFile.cxx           |    3 +++
 2 files changed, 5 insertions(+)

New commits:
commit 35376a21e6bd3d7eede07b1e8f359f728b5c54c9
Author: Caolán McNamara <caolanm at redhat.com>
Date:   Mon Nov 27 16:29:37 2017 +0000

    keep track of available data
    
    Change-Id: Idc54cdef0f3a4355a7e26f25cdc5b50d65d9d583
    Reviewed-on: https://gerrit.libreoffice.org/45354
    Reviewed-by: Michael Stahl <mstahl at redhat.com>
    Tested-by: Jenkins <ci at libreoffice.org>

diff --git a/package/source/zipapi/MemoryByteGrabber.hxx b/package/source/zipapi/MemoryByteGrabber.hxx
index c5436c2a34f0..e04fcca26092 100644
--- a/package/source/zipapi/MemoryByteGrabber.hxx
+++ b/package/source/zipapi/MemoryByteGrabber.hxx
@@ -39,6 +39,8 @@ public:
     }
     const sal_Int8 * getCurrentPos () { return mpBuffer + mnCurrent; }
 
+    sal_Int32 remainingSize() const { return mnEnd - mnCurrent; }
+
     // XInputStream chained
 
     /// @throws css::io::NotConnectedException
diff --git a/package/source/zipapi/ZipFile.cxx b/package/source/zipapi/ZipFile.cxx
index 14b536db3ada..547be25ed23a 100644
--- a/package/source/zipapi/ZipFile.cxx
+++ b/package/source/zipapi/ZipFile.cxx
@@ -923,6 +923,9 @@ sal_Int32 ZipFile::readCEN()
             if ( aEntry.nExtraLen < 0 )
                 throw ZipException("unexpected extra header info length" );
 
+            if (aEntry.nPathLen > aMemGrabber.remainingSize())
+                throw ZipException("name too long");
+
             // read always in UTF8, some tools seem not to set UTF8 bit
             aEntry.sPath = OUString::intern ( reinterpret_cast<char const *>(aMemGrabber.getCurrentPos()),
                                                    aEntry.nPathLen,