Loading... (original) (raw)

zip_entry.c has a buffer underflow when a zip entry name is 0-length. It unilaterally checks for a slash at the end of the name, and if the name is empty, it checks at offset -1. Fix:

--- a/src/java.base/share/native/libzip/zip_util.c Thu May 07 10:19:34 2015 -0700
+++ b/src/java.base/share/native/libzip/zip_util.c Fri May 08 10:52:58 2015 -0700
@@ -1206,7 +1206,7 @@
}

/* Slash is already there? */
- if (name[ulen-1] == '/') {
+ if (ulen > 0 && name[ulen - 1] == '/') {
break;
}