file/archive_file_zlib: harden ZIP central-directory parser

Two related issues in the ZIP central-directory walker and filename
callback, both reachable from any ZIP load (ROM scan, content load,
extract-to-dir, etc):

1. zip_parse_file_iterate_step_internal() checked only that the
   directory entry pointer fell inside the directory block, not that
   a full 46-byte central-file-header plus the variable-length name,
   extra and comment fields actually fit.  A malformed archive with a
   truncated trailing entry caused read_le() to read past the
   allocation.  Reproduced under AddressSanitizer with a 40-byte
   directory:

       ERROR: AddressSanitizer: heap-buffer-overflow
       READ of size 1 at 2 bytes after 40-byte region

   Fix by checking the available entry size (a) before the header
   reads, and (b) before the memcpy of the filename, against the
   declared namelength/extralength/commentlength.

2. zip_file_decompressed() computed "name[strlen(name) - 1]" without
   guarding against an empty filename entry.  When strlen == 0 the
   index wraps to SIZE_MAX and the dereference reads far out of
   bounds.  A ZIP central directory is allowed to contain zero-length
   name entries only if malformed, but producing such an archive is
   trivial.

Both fixes reject the malformed entry and continue, so the parser
skips bad archives rather than crashing.

Author: LibretroAdmin

libretro-common/file/archive_file_zlib.c

@@ -359,7 +359,14 @@ static int zip_file_decompressed(
       uint32_t crc32, struct archive_extract_userdata *userdata)
 {
    decomp_state_t* decomp_state = (decomp_state_t*)userdata->cb_data;
-   char last_char = name[strlen(name) - 1];
+   size_t name_len              = name ? strlen(name) : 0;
+   char last_char;
+   /* Reject empty or NULL name -- strlen-1 on empty would read
+    * name[SIZE_MAX].  Malformed archives can have 0-length filename
+    * entries. */
+   if (name_len == 0)
+      return 1;
+   last_char = name[name_len - 1];
    /* Ignore directories. */
    if (last_char == '/' || last_char == '\\')
       return 1;
@@ -538,6 +545,12 @@ static int zip_parse_file_iterate_step_internal(
    if (entry < zip_context->directory || entry >= zip_context->directory_end)
       return 0;
 
+   /* Central-directory fixed header is 46 bytes (highest-offset read
+    * is at +42..+45).  Reject a truncated trailing entry before any
+    * out-of-bounds read. */
+   if ((size_t)(zip_context->directory_end - entry) < 46)
+      return -1;
+
    signature = read_le(zip_context->directory_entry + 0, 4);
 
    if (signature != CENTRAL_FILE_HEADER_SIGNATURE)
@@ -555,6 +568,13 @@ static int zip_parse_file_iterate_step_internal(
    if (namelength >= PATH_MAX_LENGTH)
       return -1;
 
+   /* Variable-length fields (name, extra, comment) follow the 46-byte
+    * fixed header.  Reject if the declared sizes would run past the
+    * end of the directory block. */
+   if ((size_t)(zip_context->directory_end - entry)
+         < (size_t)46 + namelength + extralength + commentlength)
+      return -1;
+
    memcpy(filename, zip_context->directory_entry + 46, namelength); /* file name */
    filename[namelength] = '\0';