How to see the uncompressed size before unpacking [duplicate]

Question

This question already has answers here:

How to find uncompressed size of ionic zip file (2 answers)

Closed 8 years ago.

I am using DotNetZip to extract zip files that come from an extenal (not trustworthy) source. My problem is that the zip file itself can be a couple of kilobytes, but the unzipped content can become petabytes. How to see the uncompressed size before unpacking? Is there a reliable way to see this and prevent a OutOfMemoryException?

As suggested below it can be done with ionic zip:

using (ZipFile zip = ZipFile.Read(zipFile))
                {
                 // Option 2 - will need to sift through the mass of info

                 info = zip.Info;

foreach (ZipEntry e in zip)
                    {
                        long uncompressedsize = e.UncompressedSize;
                        // Option 1
                        totaluncompressedsize += uncompressedsize;
                    }
                 }

But the question remains: Is the UncompressedSize completely reliable? Can someone change this information to make it appear as a small uncompressed size?

Answer 1

No, it's not completely reliable. The uncompressed size in a zip file can certainly be altered by a malicious source. You should use the uncompressed size to limit the memory used, and if the decompression goes past that, simply stop and reject the zip file. You should never rely on the input to avoid exceptions.

It is possible to decode a compressed entry and determine its uncompressed size without actually generating the uncompressed output. However there's not much point to that if you're going to decompress anyway. Decoding takes almost as long as decompressing. Just start decompressing and stop when you hit the claimed uncompressed size.

Answer 2

How to find uncompressed size of ionic zip file Is a similar question which might help you. Basically you iterate over each Entry and add the uncompressed size up.