package/source/zipapi/ZipFile.cxx | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
New commits:
commit 69181dd430543db21fc0e61b70033ef484708c1c
Author: Caolán McNamara <caolan.mcnam...@collabora.com>
AuthorDate: Tue Jan 2 12:31:01 2024 +0000
Commit: Caolán McNamara <caolan.mcnam...@collabora.com>
CommitDate: Tue Jan 2 20:15:00 2024 +0100
ofz#65480: Integer-overflow
Change-Id: Ie771e6e37237907698e4c39eb50cd940500b86ca
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/161540
Tested-by: Caolán McNamara <caolan.mcnam...@collabora.com>
Reviewed-by: Caolán McNamara <caolan.mcnam...@collabora.com>
diff --git a/package/source/zipapi/ZipFile.cxx
b/package/source/zipapi/ZipFile.cxx
index 6137e3a0bb0a..474b73ff53db 100644
--- a/package/source/zipapi/ZipFile.cxx
+++ b/package/source/zipapi/ZipFile.cxx
@@ -1126,8 +1126,10 @@ sal_Int32 ZipFile::readCEN()
aEntry.nSize = nSize;
aEntry.nOffset = nOffset;
- aEntry.nOffset += nLocPos;
- aEntry.nOffset *= -1;
+ if (o3tl::checked_add<sal_Int64>(aEntry.nOffset, nLocPos,
aEntry.nOffset))
+ throw ZipException("Integer-overflow");
+ if (o3tl::checked_multiply<sal_Int64>(aEntry.nOffset, -1,
aEntry.nOffset))
+ throw ZipException("Integer-overflow");
aMemGrabber.skipBytes(nCommentLen);
aEntries[aEntry.sPath] = aEntry;
