From a35f372e1b978b82cd3649a764196acd30ffae5d Mon Sep 17 00:00:00 2001
From: jpirnay <jens@pirnay.com>
Date: Fri, 6 Mar 2026 04:25:17 +0100
Subject: [PATCH] fix: avoid zip filename overflow (#1321)

## Summary

* **What is the goal of this PR?** Potential stack buffer overflow from
untrusted ZIP entry name length
* **What changes are included?** If nameLen >= 256 , this writes past
the stack buffer. Risk: memory corruption/crash on malformed EPUB/ZIP.

## Additional Context

* Add any other information that might be helpful for the reviewer
(e.g., performance implications, potential risks,
  specific areas to focus on).

---

### AI Usage

While CrossPoint doesn't have restrictions on AI tools in contributing,
please be transparent about their usage as it
helps set the right context for reviewers.

Did you use AI tools to help write this code? _** PARTIALLY **_ Issue
identified by AI
---
 lib/ZipFile/ZipFile.cpp | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/lib/ZipFile/ZipFile.cpp b/lib/ZipFile/ZipFile.cpp
index 2a2af164..a740e14d 100644
--- a/lib/ZipFile/ZipFile.cpp
+++ b/lib/ZipFile/ZipFile.cpp
@@ -71,10 +71,15 @@ bool ZipFile::loadAllFileStatSlims() {
     file.read(&k, 2);
     file.seekCur(8);
     file.read(&fileStat.localHeaderOffset, 4);
-    file.read(itemName, nameLen);
-    itemName[nameLen] = '\0';
 
-    fileStatSlimCache.emplace(itemName, fileStat);
+    if (nameLen < sizeof(itemName)) {
+      file.read(itemName, nameLen);
+      itemName[nameLen] = '\0';
+      fileStatSlimCache.emplace(itemName, fileStat);
+    } else {
+      // Skip over oversized entry names to avoid writing past fixed buffer.
+      file.seekCur(nameLen);
+    }
 
     // Skip the rest of this entry (extra field + comment)
     file.seekCur(m + k);