diff --git a/jmccc/src/main/java/org/to2mbn/jmccc/launch/LauncherImpl.java b/jmccc/src/main/java/org/to2mbn/jmccc/launch/LauncherImpl.java
index 5958395..cddba34 100644
--- a/jmccc/src/main/java/org/to2mbn/jmccc/launch/LauncherImpl.java
+++ b/jmccc/src/main/java/org/to2mbn/jmccc/launch/LauncherImpl.java
@@ -191,6 +191,10 @@ private void decompressZipWithExcludes(File zip, File outputDir, Set<String> exc
 					}
 
 					File outFile = new File(outputDir, entry.getName());
+
+					if (!outFile.toPath().normalize().startsWith(outputDir.toPath().normalize())) {
+						throw new IOException("Bad zip entry");
+					}
 					boolean match; // true if two files are the same
 					if (outFile.isFile() && outFile.length() == entry.getSize()) {
 						// same length, check the content