From 2c2d6e5940c785d5bfd603cff49b0eec07ddac4f Mon Sep 17 00:00:00 2001
From: Hans Wennborg <hans@chromium.org>
Date: Fri, 18 Aug 2023 11:05:33 +0200
Subject: [PATCH] Reject overflows of zip header fields in minizip compat

This checks the lengths of the file name, and comment
that would be put in the zip headers, and rejects them if they are
too long. They are each limited to 65535 bytes in length by the zip
format. This also avoids possible buffer overflows if the provided
fields are too long.

See #736.
---
 mz_compat.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/mz_compat.c b/mz_compat.c
index 1eba375..71aca13 100644
--- a/mz_compat.c
+++ b/mz_compat.c
@@ -463,6 +463,12 @@ int zipOpenNewFileInZip5(zipFile file, const char *filename, const zip_fileinfo
     if (!compat)
         return ZIP_PARAMERROR;
 
+    // The filename and comment length must fit in 16 bits.
+    if (filename && strlen(filename) > 0xffff)
+        return ZIP_PARAMERROR;
+    if (comment && strlen(comment) > 0xffff)
+        return ZIP_PARAMERROR;
+
     memset(&file_info, 0, sizeof(file_info));
 
     if (zipfi) {