Avoid Win32 file source I/O length truncation#541
Open
Alb3e3 wants to merge 1 commit into
Open
Conversation
The Win32 file source passed zip_uint64_t lengths directly to ReadFile and WriteFile, whose byte-count arguments are DWORD values. Very large source operations could therefore wrap or truncate before reaching the OS. Clamp read requests to the largest DWORD-sized transfer so zip_source_read can continue in chunks, and write large buffers in DWORD-sized chunks so the write path either completes the requested length or reports a real write error.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
DWORDbyte count accepted byReadFileDWORD-sized chunks instead of casting the fullzip_uint64_tlengthRationale
The libzip source API uses
zip_uint64_tbyte counts, but the Win32ReadFileandWriteFileAPIs acceptDWORDbyte counts. Passing a larger value through a direct cast can wrap or truncate the transfer size before it reaches the OS.For reads, returning a bounded chunk lets
zip_source_read()continue its existing loop. For writes, the Win32 backend now loops over bounded chunks so large writes either complete the requested length or fail with the underlying write error.Testing
git diff --checkNot run locally: full CMake/tests or Windows compile, because this container does not have
cmake,clang-format,cppcheck, or a MinGW/Windows compiler installed.