From 88e7f3eb0fbead5bf9b6818e6a0b62679eeeda00 Mon Sep 17 00:00:00 2001
From: "Ryan C. Gordon" <icculus@icculus.org>
Date: Mon, 14 Aug 2017 01:29:45 -0400
Subject: [PATCH] Sanity check archivers that should only have low-ASCII
 filename.

---
 src/physfs_archiver_iso9660.c | 15 +++++++++++----
 src/physfs_archiver_vdf.c     |  9 ++++++---
 2 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/src/physfs_archiver_iso9660.c b/src/physfs_archiver_iso9660.c
index f58a15f0..c152b177 100644
--- a/src/physfs_archiver_iso9660.c
+++ b/src/physfs_archiver_iso9660.c
@@ -54,6 +54,7 @@ static int iso9660AddEntry(PHYSFS_Io *io, const int joliet, const int isdir,
     size_t baselen;
     size_t fullpathlen;
     void *entry;
+    int i;
 
     if (fnamelen == 1 && ((fname[0] == 0) || (fname[0] == 1)))
         return 1;  /* Magic that represents "." and "..", ignore */
@@ -80,7 +81,6 @@ static int iso9660AddEntry(PHYSFS_Io *io, const int joliet, const int isdir,
     {
         PHYSFS_uint16 *ucs2 = (PHYSFS_uint16 *) fname;
         int total = fnamelen / 2;
-        int i;
         for (i = 0; i < total; i++)
             ucs2[i] = PHYSFS_swapUBE16(ucs2[i]);
         ucs2[total] = '\0';
@@ -88,10 +88,17 @@ static int iso9660AddEntry(PHYSFS_Io *io, const int joliet, const int isdir,
     } /* if */
     else
     {
-        /* !!! FIXME-3.0: we assume the filenames are low-ASCII; if they use
-           any high-ASCII chars, they will be invalid UTF-8. */
-        memcpy(fnamecpy, fname, fnamelen);
+        for (i = 0; i < fnamelen; i++)
+        {
+            /* We assume the filenames are low-ASCII; consider the archive
+               corrupt if we see something above 127, since we don't know the
+               encoding. (We can change this later if we find out these exist
+               and are intended to be, say, latin-1 or UTF-8 encoding). */
+            BAIL_IF(fname[i] > 127, PHYSFS_ERR_CORRUPT, 0);
+            fnamecpy[i] = fname[i];
+        } /* for */
         fnamecpy[fnamelen] = '\0';
+
         if (!isdir)
         {
             /* find last SEPARATOR2 */
diff --git a/src/physfs_archiver_vdf.c b/src/physfs_archiver_vdf.c
index 9547537e..5d2210f4 100644
--- a/src/physfs_archiver_vdf.c
+++ b/src/physfs_archiver_vdf.c
@@ -70,6 +70,12 @@ static int vdfLoadEntries(PHYSFS_Io *io, const PHYSFS_uint32 count,
         name[VDF_ENTRY_NAME_LENGTH] = '\0';  /* always null-terminated. */
         for (namei = VDF_ENTRY_NAME_LENGTH - 1; namei >= 0; namei--)
         {
+            /* We assume the filenames are low-ASCII; consider the archive
+               corrupt if we see something above 127, since we don't know the
+               encoding. (We can change this later if we find out these exist
+               and are intended to be, say, latin-1 or UTF-8 encoding). */
+            BAIL_IF(((PHYSFS_uint8) name[namei]) > 127, PHYSFS_ERR_CORRUPT, 0);
+
             if (name[namei] == ' ')
                 name[namei] = '\0';
             else
@@ -78,9 +84,6 @@ static int vdfLoadEntries(PHYSFS_Io *io, const PHYSFS_uint32 count,
 
         BAIL_IF(!name[0], PHYSFS_ERR_CORRUPT, 0);
 
-        /* !!! FIXME-3.0: we assume the filenames are low-ASCII; if they use
-           any high-ASCII chars, they will be invalid UTF-8. */
-
         BAIL_IF_ERRPASS(!UNPK_addEntry(arc, name, 0, ts, ts, jump, size), 0);
     } /* for */