Add more verify when unpack paz archive

2026-06-06 21:08:48 +08:00 · 2025-11-03 23:02:47 +08:00
parent 0e4b308433
commit a3d8065ab4
1 changed files with 14 additions and 2 deletions
--- a/src/scripts/musica/archive/paz.rs
+++ b/src/scripts/musica/archive/paz.rs
@@ -271,6 +271,7 @@ impl PazArc {
                break;
            }
        }
+        let arc_size = stream.stream_length()?;
        let schema = if let Some(title) = &config.musica_game_title {
            let schema = query_paz_schema(title).ok_or_else(|| {
                anyhow::anyhow!("Unsupported game title '{}' for PAZ archive", title)
@@ -330,8 +331,8 @@ impl PazArc {
            let t = xor_key as u32;
            index_size ^= t << 24 | t << 16 | t << 8 | t;
        }
-        if index_size & 7 != 0 {
-            return Err(anyhow::anyhow!("Invalid PAZ index size"));
+        if index_size & 7 != 0 || index_size as u64 > arc_size - start_offset {
+            return Err(anyhow::anyhow!("Invalid PAZ index size: {}", index_size));
        }
        let mut mov_key = None;
        let entries = {
@@ -357,6 +358,17 @@ impl PazArc {
                }
                mov_key = Some(key);
            }
+            // Each PAZ entry at least needs 0x18 bytes
+            let least_len = match count.checked_mul(0x18) {
+                Some(v) => v,
+                None => {
+                    return Err(anyhow::anyhow!("Invalid PAZ entry count: {}", count));
+                }
+            };
+            let other_len = if is_video { 0x104 } else { 4 };
+            if least_len > index_size - other_len {
+                return Err(anyhow::anyhow!("Invalid PAZ entry count: {}", count));
+            }
            let mut entries = Vec::with_capacity(count as usize);
            for _ in 0..count {
                let entry: PazEntry = index_stream.read_struct(false, archive_encoding)?;