From 1417578b3ddd9173578a9bd73e4ba92f792cfdb1 Mon Sep 17 00:00:00 2001
From: Max Kellermann <max.kellermann@gmail.com>
Date: Sun, 30 Apr 2023 08:42:32 +0200
Subject: [PATCH] db/update/Archive: validate directory names

Fixes assertion failure if the ZIP file contains a path that begins
with a slash.

Closes https://github.com/MusicPlayerDaemon/MPD/issues/1793
---
 NEWS                      | 2 ++
 src/db/update/Archive.cxx | 3 +++
 2 files changed, 5 insertions(+)

diff --git a/NEWS b/NEWS
index 2b14f80f2..0825c118e 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,8 @@
 ver 0.23.13 (not yet released)
 * input
   - curl: fix busy loop after connection failed
+* archive
+  - zzip: fix crash bug
 * decoder
   - gme: require GME 0.6 or later
 * output
diff --git a/src/db/update/Archive.cxx b/src/db/update/Archive.cxx
index ccb7eb249..1383cf343 100644
--- a/src/db/update/Archive.cxx
+++ b/src/db/update/Archive.cxx
@@ -67,6 +67,9 @@ UpdateWalk::UpdateArchiveTree(ArchiveFile &archive, Directory &directory,
 	const char *tmp = std::strchr(name, '/');
 	if (tmp) {
 		const std::string_view child_name(name, tmp - name);
+		if (!IsAcceptableFilename(child_name))
+			return;
+
 		//add dir is not there already
 		Directory *subdir = LockMakeChild(directory, child_name);
 		subdir->device = DEVICE_INARCHIVE;