Sanity check the names of directories and files 7-Zip wants to create…

…. Also enable the preexisting CreateFileA check for BCC32.

Projects/Src/Compression.SevenZipDecoder.pas

@@ -18,7 +18,10 @@ function SevenZipDecode(const FileName, DestDir: String;
 implementation
 
 uses
-  Windows, SysUtils, Setup.LoggingFunc;
+  Windows, SysUtils, PathFunc, Setup.LoggingFunc;
+
+var
+  ExpandedDestDir: String;
 
 { Compiled by Visual Studio 2022 using compile.bat
   To enable source debugging recompile using compile-bcc32c.bat and turn off the VISUALSTUDIO define below
@@ -28,11 +31,16 @@ implementation
 
 function IS_7zDec(const fileName: PChar; const fullPaths: Bool): Integer; cdecl; external name '_IS_7zDec';
 
-{$IFDEF VISUALSTUDIO}
 function __CreateDirectoryW(lpPathName: LPCWSTR;
   lpSecurityAttributes: PSecurityAttributes): BOOL; cdecl;
 begin
-  Result := CreateDirectoryW(lpPathName, lpSecurityAttributes);
+  var ExpandedDir := PathExpand(lpPathName);
+  if PathStartsWith(ExpandedDir, ExpandedDestDir) then
+    Result := CreateDirectoryW(PChar(ExpandedDir), lpSecurityAttributes)
+  else begin
+    Result := False;
+    SetLastError(ERROR_ACCESS_DENIED);
+  end;
 end;
 
 { Never actually called but still required by the linker }
@@ -50,9 +58,17 @@ function __CreateFileW(lpFileName: LPCWSTR; dwDesiredAccess, dwShareMode: DWORD;
   lpSecurityAttributes: PSecurityAttributes; dwCreationDisposition, dwFlagsAndAttributes: DWORD;
   hTemplateFile: THandle): THandle; cdecl;
 begin
-  Result := CreateFileW(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);
+  var ExpandedFileName := PathExpand(lpFileName);
+  if PathStartsWith(ExpandedFileName, ExpandedDestDir) then
+    Result := CreateFileW(PChar(ExpandedFileName), dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile)
+  else begin
+    Result := INVALID_HANDLE_VALUE;
+    SetLastError(ERROR_ACCESS_DENIED);
+  end;
 end;
 
+{$IFDEF VISUALSTUDIO}
+
 function __FileTimeToLocalFileTime(lpFileTime: PFileTime; var lpLocalFileTime: TFileTime): BOOL; cdecl;
 begin
   Result := FileTimeToLocalFileTime(lpFileTime, lpLocalFileTime);
@@ -211,6 +227,7 @@ function SevenZipDecode(const FileName, DestDir: String;
     Exit(-1);
   try
     LogBuffer := '';
+    ExpandedDestDir := PathExpand(DestDir);
     Result := IS_7zDec(PChar(FileName), FullPaths);
     if LogBuffer <> '' then
       Log(LogBuffer);

Projects/Src/Compression.SevenZipDecoder/7zDecode/IS7zDec.c

@@ -7,13 +7,8 @@
 
 #include "../../../../Components/Lzma2/Util/7z/Precomp.h" /* Says it must be included first */
 
-#ifdef _MSC_VER
-
-/* Stop 7-Zip from using stdcall functions which will get unavoidable decorated names from
-   MSVC's cl.exe which Delphi can't handle: first include windows.h and then hide the
-   functions 7-Zip wants to use with macros pointing to cdecl prototypes. This will enable
-   us to call the stdcall function from a cdecl implementation in Delphi and keeps the
-   rest of windows.h available to 7-Zip. */
+/* Stop 7-Zip from directly creating files and directories. This will enable us to perform
+   extra checks from a cdecl implementation in Delphi. */
 
 #include "../../../../Components/Lzma2/7zWindows.h"
 
@@ -26,6 +21,15 @@ HANDLE _CreateFileA(LPCSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode,
 HANDLE _CreateFileW(LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile);
 #define CreateFileW _CreateFileW
 
+#ifdef _MSC_VER
+
+/* MSVC only:
+   Stop 7-Zip from using stdcall functions which will get unavoidable decorated names from
+   MSVC's cl.exe which Delphi can't handle: first include windows.h and then hide the
+   functions 7-Zip wants to use with macros pointing to cdecl prototypes. This will enable
+   us to call the stdcall function from a cdecl implementation in Delphi and keeps the
+   rest of windows.h available to 7-Zip. */
+
 BOOL _FileTimeToLocalFileTime(FILETIME* lpFileTime, LPFILETIME lpLocalFileTime);
 #define FileTimeToLocalFileTime _FileTimeToLocalFileTime