Mirrors/yuzu
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

android: Fix potential zip traversal exploit

Browse source
This commit is contained in:
Charles Lombardo 2023-05-01 01:02:41 -04:00 committed by bunnei
parent d1fb7ea58b
commit 3281dc597e
1 changed files with 9 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
src/android/app/src/main/java/org/yuzu/yuzu_emu/utils/GpuDriverHelper.kt
View file

@ -7,6 +7,7 @@ import android.content.Context
import android.net.Uri
import org.yuzu.yuzu_emu.NativeLibrary
import org.yuzu.yuzu_emu.utils.FileUtil.copyUriToInternalStorage
import java.io.BufferedInputStream
import java.io.File
import java.io.FileInputStream
import java.io.FileOutputStream
@ -28,12 +29,17 @@ object GpuDriverHelper {
if (!dir.exists()) dir.mkdirs()
// Unpack the files.
val zis = ZipInputStream(FileInputStream(zipFilePath))
val inputStream = FileInputStream(zipFilePath)
val zis = ZipInputStream(BufferedInputStream(inputStream))
val buffer = ByteArray(1024)
var ze = zis.nextEntry
while (ze != null) {
val fileName = ze.name
val newFile = File(destDir + fileName)
val newFile = File(destDir, ze.name)
val canonicalPath = newFile.canonicalPath
if (!canonicalPath.startsWith(destDir + ze.name)) {
throw SecurityException("Zip file attempted path traversal! " + ze.name)
}
newFile.parentFile!!.mkdirs()
val fos = FileOutputStream(newFile)
var len: Int