From 397e2d5118dcc5ebd8dedfe731de02fb4277960f Mon Sep 17 00:00:00 2001
From: Caolán McNamara <caolanm@redhat.com>
Date: Thu, 30 Mar 2023 21:03:01 +0100
Subject: ofz#57529 Integer-overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Change-Id: I93775299aa340e2e645a04be5d0bc36a9caea103
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/149773
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
---
 package/source/zipapi/XUnbufferedStream.cxx | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'package')

diff --git a/package/source/zipapi/XUnbufferedStream.cxx b/package/source/zipapi/XUnbufferedStream.cxx
index b0a18cc0a683..e3c31d5fca1c 100644
--- a/package/source/zipapi/XUnbufferedStream.cxx
+++ b/package/source/zipapi/XUnbufferedStream.cxx
@@ -28,6 +28,7 @@
 #include <algorithm>
 #include <string.h>
 
+#include <o3tl/safeint.hxx>
 #include <osl/diagnose.h>
 #include <osl/mutex.hxx>
 #include <utility>
@@ -65,20 +66,24 @@ XUnbufferedStream::XUnbufferedStream(
 , mbCheckCRC(!bRecoveryMode)
 {
     mnZipCurrent = maEntry.nOffset;
+    sal_Int64 nSize;
     if ( mbRawStream )
     {
         mnZipSize = maEntry.nMethod == DEFLATED ? maEntry.nCompressedSize : maEntry.nSize;
-        mnZipEnd = maEntry.nOffset + mnZipSize;
+        nSize = mnZipSize;
     }
     else
     {
         mnZipSize = maEntry.nSize;
-        mnZipEnd = maEntry.nMethod == DEFLATED ? maEntry.nOffset + maEntry.nCompressedSize : maEntry.nOffset + maEntry.nSize;
+        nSize = maEntry.nMethod == DEFLATED ? maEntry.nCompressedSize : maEntry.nSize;
     }
 
     if (mnZipSize < 0)
         throw ZipIOException("The stream seems to be broken!");
 
+    if (o3tl::checked_add(maEntry.nOffset, nSize, mnZipEnd))
+        throw ZipIOException("Integer-overflow");
+
     bool bHaveEncryptData = rData.is() && rData->m_aInitVector.hasElements() &&
         ((rData->m_aSalt.hasElements() && rData->m_nIterationCount != 0)
          ||
-- 
cgit v1.2.3