Fix length checks in zip_file::remove_comment()

Kai Dietrich · Kai Dietrich · commit d9c57a3283f9 · 2020-10-21T10:07:18.000+02:00
diff --git a/zip_file.hpp b/zip_file.hpp
@@ -5651,10 +5651,20 @@ class zip_file
             throw std::runtime_error("didn't find end of central directory signature");
         }
         
+        if (position + 2 >= buffer_.size())
+        {
+            throw std::runtime_error("central dictionary position invalid");
+        }
+        
         uint16_t length = static_cast<uint16_t>(buffer_[position + 1]);
         length = static_cast<uint16_t>(length << 8) + static_cast<uint16_t>(buffer_[position]);
         position += 2;
         
+        if (position + length > buffer_.size())
+        {
+            throw std::runtime_error("comment too long");
+        }
+        
         if(length != 0)
         {
             comment = std::string(buffer_.data() + position, buffer_.data() + position + length);
