diff --git a/src/main/java/com/ahj/comic/io/CbzIo.java b/src/main/java/com/ahj/comic/io/CbzIo.java
index f9cea82..f6fe97a 100644
--- a/src/main/java/com/ahj/comic/io/CbzIo.java
+++ b/src/main/java/com/ahj/comic/io/CbzIo.java
@@ -53,6 +53,10 @@ public List<ComicImage> read(File file, File workDir) throws IOException {
 				}
 				
 				File imageFile = new File(workDir, entry.getName());
+
+				if (!imageFile.toPath().normalize().startsWith(workDir.toPath().normalize())) {
+					throw new IOException("Bad zip entry");
+				}
 				
  				if (entry.isDirectory() ||
  				    // Nasty hack to avoid outputing metadata folders that