deps: update zlib to 1.3.1-3102d2a

deps/zlib/README.chromium

@@ -3,6 +3,7 @@ Short Name: zlib
 URL: http://zlib.net/
 Version: 1.3.1
 Revision: 51b7f2abdade71cd9bb0e7a373ef2610ec6f9daf
+Update Mechanism: Manual
 CPEPrefix: cpe:/a:zlib:zlib:1.3.1
 Security Critical: yes
 Shipped: yes

deps/zlib/contrib/minizip/README.chromium

@@ -3,6 +3,7 @@ Short Name: minizip
 URL: https://github.com/madler/zlib/tree/master/contrib/minizip
 Version: 1.3.1.1
 Revision: ef24c4c7502169f016dcd2a26923dbaf3216748c
+Update Mechanism: Manual
 License: Zlib
 License File: //third_party/zlib/LICENSE
 Shipped: yes

deps/zlib/contrib/minizip/unzip.c

@@ -1012,7 +1012,15 @@ local int unz64local_GetCurrentFileInfoInternal(unzFile file,
             {
                 int version = 0;
 
-                if (unz64local_getByte(&s->z_filefunc, s->filestream, &version) != UNZ_OK)
+                if (dataSize < 1 + 4)
+                {
+                    /* dataSize includes version (1 byte), uCrc (4 bytes), and
+                     * the filename data. If it's too small, fileNameSize below
+                     * would overflow. */
+                    err = UNZ_ERRNO;
+                    break;
+                }
+                else if (unz64local_getByte(&s->z_filefunc, s->filestream, &version) != UNZ_OK)
                 {
                     err = UNZ_ERRNO;
                 }
@@ -1032,7 +1040,7 @@ local int unz64local_GetCurrentFileInfoInternal(unzFile file,
                         err = UNZ_ERRNO;
                     }
                     uHeaderCrc = crc32(0, (const unsigned char *)szFileName, file_info.size_filename);
-                    fileNameSize = dataSize - (2 * sizeof (short) + 1);
+                    fileNameSize = dataSize - (1 + 4);  /* 1 for version, 4 for uCrc */
                     /* Check CRC against file name in the header. */
                     if (uHeaderCrc != uCrc)
                     {

deps/zlib/contrib/tests/utils_unittest.cc

@@ -13,6 +13,7 @@
 #if !defined(CMAKE_STANDALONE_UNITTESTS)
 #include "base/files/file_path.h"
 #include "base/files/scoped_temp_dir.h"
+#include "base/path_service.h"
 
 #include "third_party/zlib/contrib/minizip/unzip.h"
 #include "third_party/zlib/contrib/minizip/zip.h"
@@ -1287,4 +1288,27 @@ TEST(ZlibTest, ZipExtraFieldSize) {
   EXPECT_EQ(unzClose(uzf), UNZ_OK);
 }
 
+static base::FilePath TestDataDir() {
+  base::FilePath path;
+  bool success = base::PathService::Get(base::DIR_SRC_TEST_DATA_ROOT, &path);
+  EXPECT_TRUE(success);
+  return path
+      .AppendASCII("third_party")
+      .AppendASCII("zlib")
+      .AppendASCII("google")
+      .AppendASCII("test")
+      .AppendASCII("data");
+}
+
+TEST(ZlibTest, ZipUnicodePathExtraSizeFilenameOverflow) {
+  // This is based on components/test/data/unzip_service/bug953599.zip (added
+  // in https://crrev.com/1004132), with the Unicode Path Extra Field's
+  // dataSize hex edited to four.
+  base::FilePath zip_file = TestDataDir().AppendASCII("unicode_path_extra_overflow.zip");
+  unzFile uzf = unzOpen(zip_file.AsUTF8Unsafe().c_str());
+  ASSERT_NE(uzf, nullptr);
+  EXPECT_EQ(unzGoToFirstFile(uzf), UNZ_ERRNO);
+  EXPECT_EQ(unzClose(uzf), UNZ_OK);
+}
+
 #endif

deps/zlib/google/test_data.filelist

@@ -37,3 +37,4 @@ test/data/test_encrypted.zip
 test/data/test_mismatch_size.zip
 test/data/test_nocompress.zip
 test/data/test_posix_permissions.zip
+test/data/unicode_path_extra_overflow.zip

deps/zlib/patches/0016-minizip-parse-unicode-path-extra-field.patch

@@ -35,6 +35,18 @@ Date:   Fri May 16 15:48:19 2025 +0200
     Change-Id: Ifab65f470736b45b1b51a1cc130a5753a2b20583
     Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6553931
 
+commit 9f6e08ef47d3bc9438fdc3b1ab77126a7b36cce9
+Author: Hans Wennborg <[email protected]>
+Date:   Thu Jul 3 17:47:55 2025 +0200
+
+    [minizip] Fix Unicode Path Extra Field filename length overflow
+
+    If dataSize is too small, fileNameSize would overflow.
+
+    Bug: 428744375
+    Change-Id: I714fc1e30cb1634c31cb97ce87be225518368e57
+    Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6701714
+
 diff --git a/third_party/zlib/contrib/minizip/unzip.c b/third_party/zlib/contrib/minizip/unzip.c
 index c8a01b23efd42..42677cff82c96 100644
 --- a/third_party/zlib/contrib/minizip/unzip.c
@@ -74,7 +86,15 @@ index c8a01b23efd42..42677cff82c96 100644
 +            {
 +                int version = 0;
 +
-+                if (unz64local_getByte(&s->z_filefunc, s->filestream, &version) != UNZ_OK)
++                if (dataSize < 1 + 4)
++                {
++                    /* dataSize includes version (1 byte), uCrc (4 bytes), and
++                     * the filename data. If it's too small, fileNameSize below
++                     * would overflow. */
++                    err = UNZ_ERRNO;
++                    break;
++                }
++                else if (unz64local_getByte(&s->z_filefunc, s->filestream, &version) != UNZ_OK)
 +                {
 +                    err = UNZ_ERRNO;
 +                }
@@ -94,7 +114,7 @@ index c8a01b23efd42..42677cff82c96 100644
 +                        err = UNZ_ERRNO;
 +                    }
 +                    uHeaderCrc = crc32(0, (const unsigned char *)szFileName, file_info.size_filename);
-+                    fileNameSize = dataSize - (2 * sizeof (short) + 1);
++                    fileNameSize = dataSize - (1 + 4);  /* 1 for version, 4 for uCrc */
 +                    /* Check CRC against file name in the header. */
 +                    if (uHeaderCrc != uCrc)
 +                    {

src/zlib_version.h

@@ -2,5 +2,5 @@
 // Refer to tools/dep_updaters/update-zlib.sh
 #ifndef SRC_ZLIB_VERSION_H_
 #define SRC_ZLIB_VERSION_H_
-#define ZLIB_VERSION "1.3.1-470d3a2"
+#define ZLIB_VERSION "1.3.1-3102d2a"
 #endif  // SRC_ZLIB_VERSION_H_