From 31dc8b73b7727a7d01ec2365d94c01978dc1a8b4 Mon Sep 17 00:00:00 2001
From: Max Kellermann <max.kellermann@gmail.com>
Date: Sun, 30 Apr 2023 08:42:32 +0200
Subject: [PATCH] db/update/Archive: validate directory names

Fixes assertion failure if the ZIP file contains a path that begins
with a slash.

Closes https://github.com/MusicPlayerDaemon/MPD/issues/1793
---
 NEWS                      | 1 +
 src/db/update/Archive.cxx | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/NEWS b/NEWS
index ffe104488..e4bdd351e 100644
--- a/NEWS
+++ b/NEWS
@@ -14,6 +14,7 @@ ver 0.24 (not yet released)
   - proxy: require libmpdclient 2.15 or later
 * archive
   - add option to disable archive plugins in mpd.conf
+  - zzip: fix crash bug
 * input
   - curl: add "connect_timeout" configuration
   - curl: fix busy loop after connection failed
diff --git a/src/db/update/Archive.cxx b/src/db/update/Archive.cxx
index 84b57d9ef..a78e946c3 100644
--- a/src/db/update/Archive.cxx
+++ b/src/db/update/Archive.cxx
@@ -50,6 +50,9 @@ UpdateWalk::UpdateArchiveTree(ArchiveFile &archive, Directory &directory,
 {
 	const auto [child_name, rest] = Split(name, '/');
 	if (rest.data() != nullptr) {
+		if (!IsAcceptableFilename(child_name))
+			return;
+
 		//add dir is not there already
 		Directory *subdir = LockMakeChild(directory, child_name);
 		subdir->device = DEVICE_INARCHIVE;