From 58ca4e57ce7d76734d8b5afa03d205f694419b17 Mon Sep 17 00:00:00 2001 From: Mark Adler Date: Sat, 1 Jan 2022 12:09:30 -0800 Subject: [PATCH] =?utf8?q?Fix=20unztell64()=20in=20minizip=20to=20work=20p?= =?utf8?q?ast=204GB.=20(Dani=C3=ABl=20H=C3=B6rchner)?= MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit The issue is that unztell64() does not return the correct value if the position in the current file (in the ZIP archive) is beyond 4 GB. The cause is that unzReadCurrentFile() does not account for pfile_in_zip_read_info->stream.total_out at line 1854 of unzip.c wrapping around (it is a 32-bit variable). So, on line 1860 uTotalOutAfter can be *less* than uTotalOutBefore, propagating the wraparound to uOutThis, which in turn is added to pfile_in_zip_read_info->total_out_64. That has the effect of subtracting 4 GB. --- contrib/minizip/unzip.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/contrib/minizip/unzip.c b/contrib/minizip/unzip.c index bcfb941..b16a75e 100644 --- a/contrib/minizip/unzip.c +++ b/contrib/minizip/unzip.c @@ -1857,6 +1857,9 @@ extern int ZEXPORT unzReadCurrentFile (unzFile file, voidp buf, unsigned len) err = Z_DATA_ERROR; uTotalOutAfter = pfile_in_zip_read_info->stream.total_out; + /* Detect overflow, because z_stream.total_out is uLong (32 bits) */ + if (uTotalOutAftertotal_out_64 = pfile_in_zip_read_info->total_out_64 + uOutThis; -- 2.44.0