file/archive_file_zlib: guard ZIP context allocation

LibretroAdmin · LibretroAdmin · commit 15c6484cca58 · 2026-04-19T16:42:01.000+02:00
zip_parse_file_init() reads the central-directory size and offset
from the ZIP footer and allocates "sizeof(zip_context_t) +
directory_size" bytes for the context + directory.  Three issues:

1. 32-bit allocation wraparound.  On 32-bit hosts (3DS, Vita, PSP,
   Wii, Wii U) size_t is 32 bits, so a crafted directory_size near
   UINT32_MAX makes the "+ sizeof(zip_context_t)" wrap to a tiny
   value.  The subsequent directory_end = directory + directory_size
   computation then points roughly 4 GiB past a small allocation,
   and every read from the directory is out of bounds.

2. Unchecked malloc return.  Even on 64-bit, a 4 GiB directory_size
   request from a crafted ZIP can fail allocation; the next line
   dereferences the returned NULL unconditionally.

3. Incomplete sanity check.  The existing check only verifies that
   directory_size and directory_offset individually fit within the
   archive.  With offset = archive_size - 1 and size = archive_size,
   each passes but the combination claims the directory runs past
   EOF.  The subsequent short read is caught, but only after the
   large bogus allocation is already made.

Fix: reject the combined "offset + size &gt; archive_size", reject
sizes that would overflow the allocation, and check the malloc
return.
diff --git a/libretro-common/file/archive_file_zlib.c b/libretro-common/file/archive_file_zlib.c
@@ -508,10 +508,27 @@ static int zip_parse_file_init(file_archive_transfer_t *state,
          || directory_offset > state->archive_size)
       return -1;
 
+   /* Combined sanity check: the directory must fit entirely within
+    * the archive.  Without this, offset + size could wrap or point
+    * past EOF, producing a large bogus allocation and a short read. */
+   if ((int64_t)directory_offset + (int64_t)directory_size > state->archive_size)
+      return -1;
+
+   /* Reject sizes that would overflow the allocation on 32-bit hosts.
+    * size_t is 32-bit on 3DS / Vita / PSP / Wii / Wii U, where a
+    * directory_size near UINT32_MAX would wrap
+    *     sizeof(zip_context_t) + (size_t)directory_size
+    * to a tiny value, after which directory_end runs off the end of
+    * the allocation. */
+   if ((size_t)directory_size > SIZE_MAX - sizeof(zip_context_t))
+      return -1;
+
    /* This is a ZIP file, allocate one block of memory for both the
     * context and the entire directory, then read the directory.
     */
    zip_context = (zip_context_t*)malloc(sizeof(zip_context_t) + (size_t)directory_size);
+   if (!zip_context)
+      return -1;
    zip_context->state             = state;
    zip_context->directory         = (uint8_t*)(zip_context + 1);
    zip_context->directory_entry   = zip_context->directory;
