fix(security): fix stack buffer overflow in ZipFile and add resource path validation#188
Open
dcol91863 wants to merge 1 commit intopjasicek:masterfrom
Open
Conversation
…path validation ZipFile.cpp — two buffer overflow sites: 1. ZipFile::Init(): fh.fnameLen is a uint16 read directly from the untrusted ZIP central-directory (max 65535). It was used as the memcpy count into a fixed 260-byte (_MAX_PATH) stack buffer with no bounds check. A malformed ASSETS.ZIP could overflow the stack frame. Fix: reject any entry whose fnameLen >= _MAX_PATH and fail the open. 2. ZipFile::GetFilename(): same root cause — fnameLen used to index past the end of a 260-byte stack buffer. Fix: construct the std::string directly from (ptr, len), removing the intermediate stack buffer entirely. ResourceCache.h / ResourceCache.cpp — directory traversal: Resource names were forwarded to the REZ archive API with no validation, allowing a crafted archive to request paths containing ".." and escape the resource root. Added IsValidResourcePath() which rejects paths containing ".." components or embedded null bytes, and call it at the top of VGetRawResourceSize() and VGetRawResource().
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR fixes two security issues in the asset-loading code that can be triggered by a malformed or malicious archive file.
ZipFile.cpp(two sites)ResourceCacheA prior PR (#185) proposed similar fixes but has not been merged. This PR reimplements them cleanly and independently.
Changes
OpenClaw/Engine/Resource/ZipFile.cppZipFile::Init()— bounds check beforememcpyfh.fnameLenis auint16(0–65535) read directly from the untrusted ZIP central-directory. It was used as thememcpycount into a fixed 260-byte (_MAX_PATH) stack buffer with no validation. A craftedASSETS.ZIPcan overflow the stack.Before:
After:
ZipFile::GetFilename()— eliminate intermediate stack bufferSame root cause. Fixed by constructing the
std::stringdirectly from pointer + length:Before:
After:
fileName = std::string(m_papDir[i]->GetName(), m_papDir[i]->fnameLen);OpenClaw/Engine/Resource/ResourceCache.h+ResourceCache.cppAdded
IsValidResourcePath()which rejects paths containing..components or embedded null bytes. Called at the top ofVGetRawResourceSize()andVGetRawResource()inResourceRezArchive.Testing
ASSETS.ZIPloads without regression.fnameLen = 0x01FF(511) now causesInit()to returnfalsecleanly instead of crashing.GetFilename()with the same crafted archive returns an empty string instead of overflowing.