db/update/Archive: validate directory names

Fixes assertion failure if the ZIP file contains a path that begins with a slash. Closes https://github.com/MusicPlayerDaemon/MPD/issues/1793

db/update/Archive: validate directory names
1417578b · Max Kellermann · 96befa13 · 1417578b · 1417578b
Commit 1417578b authored Apr 30, 2023 by Max Kellermann
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 0 deletions

NEWS NEWS +2 -0

Archive.cxx src/db/update/Archive.cxx +3 -0

No files found.
--- a/NEWS
+++ b/NEWS
 ver 0.23.13 (not yet released)
 * input
  - curl: fix busy loop after connection failed
+* archive
+  - zzip: fix crash bug
 * decoder
  - gme: require GME 0.6 or later
 * output

--- a/src/db/update/Archive.cxx
+++ b/src/db/update/Archive.cxx
@@ -67,6 +67,9 @@ UpdateWalk::UpdateArchiveTree(ArchiveFile &archive, Directory &directory,
 	const char *tmp = std::strchr(name, '/');
 	if (tmp) {
 		const std::string_view child_name(name, tmp - name);
+		if (!IsAcceptableFilename(child_name))
+			return;
+
 		//add dir is not there already
 		Directory *subdir = LockMakeChild(directory, child_name);
 		subdir->device = DEVICE_INARCHIVE;