Extracted from a patch in Fedora.

http://pkgs.fedoraproject.org/cgit/unzip.git/tree/unzip-6.0-heap-overflow-infloop.patch?id=d18f821e

From bd150334fb4084f5555a6be26b015a0671cb5b74 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Tue, 22 Sep 2015 18:52:23 +0200
Subject: [PATCH 3/3] extract: prevent unsigned overflow on invalid input

Suggested-by: Stefan Cornelius
---
 extract.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/extract.c b/extract.c
index 29db027..b9ae667 100644
--- a/extract.c
+++ b/extract.c
@@ -1257,8 +1257,17 @@ static int extract_or_test_entrylist(__G__ numchunk,
         if (G.lrec.compression_method == STORED) {
             zusz_t csiz_decrypted = G.lrec.csize;
 
-            if (G.pInfo->encrypted)
+            if (G.pInfo->encrypted) {
+                if (csiz_decrypted <= 12) {
+                    /* handle the error now to prevent unsigned overflow */
+                    Info(slide, 0x401, ((char *)slide,
+                      LoadFarStringSmall(ErrUnzipNoFile),
+                      LoadFarString(InvalidComprData),
+                      LoadFarStringSmall2(Inflate)));
+                    return PK_ERR;
+                }
                 csiz_decrypted -= 12;
+            }
             if (G.lrec.ucsize != csiz_decrypted) {
                 Info(slide, 0x401, ((char *)slide,
                   LoadFarStringSmall2(WrnStorUCSizCSizDiff),
-- 
2.5.2

2c17317d7799b699a724086f92ed7b'>diff</a></td><td class='form'><form class='right' method='get' action='/guix/log/tests/file-systems.scm'>
<input type='hidden' name='id' value='e8bded2de72c17317d7799b699a724086f92ed7b'/><select name='qt'>
<option value='grep'>log msg</option>
<option value='author'>author</option>
<option value='committer'>committer</option>
<option value='range'>range</option>
</select>
<input class='txt' type='search' size='10' name='q' value=''/>
<input type='submit' value='search'/>
</form>
</td></tr></table>
<div class='path'>path: <a href='/guix/log/?id=e8bded2de72c17317d7799b699a724086f92ed7b'>root</a>/<a href='/guix/log/tests?id=e8bded2de72c17317d7799b699a724086f92ed7b'>tests</a>/<a href='/guix/log/tests/file-systems.scm?id=e8bded2de72c17317d7799b699a724086f92ed7b'>file-systems.scm</a></div><div class='content'><table class='list nowrap'><tr class='nohover'><th class='left'>Age</th><th class='left'>Commit message (<a href='/guix/log/tests/file-systems.scm?id=e8bded2de72c17317d7799b699a724086f92ed7b&amp;showmsg=1'>Expand</a>)</th><th class='left'>Author</th></tr>
<tr><td><span title='2021-07-18 02:10:49 -0400'>2021-07-18</span></td><td><a href='/guix/commit/tests/file-systems.scm?id=11f0698243da27be93b16cec574fbf262279779a'>pack: Streamline how files are included in tarballs.</a><span class='msg-avail'>...<span class='msg-tooltip'>Thanks to Guillem Jover &lt;guillem@debian.org&gt; on the OFTC's #debian-dpkg
channel for helping with troubleshooting.

Letting GNU Tar recursively walk the complete files hierarchy side-steps the
risks associated with providing a list of file names:

1. Duplicated files in the archive (recorded as hard links by GNU Tar)
2. Missing parent directories.

The above would cause dpkg to malfunction, for example by aborting early and
skipping triggers when there were missing parent directories.

* guix/scripts/pack.scm (self-contained-tarball/builder): Do not call
POPULATE-SINGLE-PROFILE-DIRECTORY, which creates extraneous files such as
/root.  Instead, call POPULATE-STORE and INSTALL-DATABASE-AND-GC-ROOTS
individually to more precisely generate the file system.  Replace the list of
files by the current directory, "." and streamline the way options are passed.
* gnu/system/file-systems.scm (reduce-directories): Remove procedure.
* tests/file-systems.scm ("reduce-directories"): Remove test.
</span></span></td><td>Maxim Cournoyer</td></tr>
<tr><td><span title='2021-06-29 14:53:21 -0400'>2021-06-29</span></td><td><a href='/guix/commit/tests/file-systems.scm?id=4f3bdc8f21657dbda857027b3ec8754dd4c7c67b'>pack: Prevent duplicate files in tar archives.</a><span class='msg-avail'>...<span class='msg-tooltip'>Tar translate duplicate files in the archive into hard links.  These can cause
problems, as not every tool support them; for example dpkg doesn't.

* gnu/system/file-systems.scm (reduce-directories): New procedure.
(file-prefix?): Lift the restriction on file prefix.  The procedure can be
useful for comparing relative file names.  Adjust doc.
(file-name-depth): New procedure, extracted from ...
(btrfs-store-subvolume-file-name): ... here.
* guix/scripts/pack.scm (self-contained-tarball/builder): Use
reduce-directories.
* tests/file-systems.scm ("reduce-directories"): New test.
</span></span></td><td>Maxim Cournoyer</td></tr>
<tr><td><span title='2020-05-20 08:30:35 -0400'>2020-05-20</span></td><td><a href='/guix/commit/tests/file-systems.scm?id=b460ba7992a0b4af2ddb5927dcf062784539ef7b'>bootloader: grub: Allow booting from a Btrfs subvolume.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/bootloader/grub.scm (strip-mount-point): Remove procedure.
(normalize-file): Add procedure.
(grub-configuration-file): New BTRFS-SUBVOLUME-FILE-NAME parameter.  When
defined, prepend its value to the kernel and initrd file names, using the
NORMALIZE-FILE procedure.  Adjust the call to EYE-CANDY to pass the
BTRFS-SUBVOLUME-FILE-NAME argument.  Normalize the KEYMAP file as well.
(eye-candy): Add a BTRFS-SUBVOLUME-FILE-NAME parameter, and use it, along with
the NORMALIZE-FILE procedure, to normalize the FONT-FILE and IMAGE nested
variables.  Adjust doc.
* gnu/bootloader/depthcharge.scm (depthcharge-configuration-file): Adapt.
* gnu/bootloader/extlinux.scm (extlinux-configuration-file): Likewise.
* gnu/system/file-systems.scm (btrfs-subvolume?)
(btrfs-store-subvolume-file-name): New procedures.
* gnu/system.scm (operating-system-bootcfg): Specify the Btrfs
subvolume file name the store resides on to the
`operating-system-bootcfg' procedure, using the new
BTRFS-SUBVOLUME-FILE-NAME argument.
* doc/guix.texi (File Systems): Add a Btrfs subsection to document the use of
subvolumes.
* gnu/tests/install.scm (%btrfs-root-on-subvolume-os)
(%btrfs-root-on-subvolume-os-source)
(%btrfs-root-on-subvolume-installation-script)
(%test-btrfs-root-on-subvolume-os): New variables.
</span></span></td><td>Maxim Cournoyer</td></tr>
<tr><td><span title='2020-05-20 08:30:34 -0400'>2020-05-20</span></td><td><a href='/guix/commit/tests/file-systems.scm?id=fa35fb58c84d1c1741e4e63c0b37074e35ed2a61'>file-systems: Add helpers for parsing the options string into an alist.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/system/file-systems.scm (file-system-options-&gt;alist)
(alist-&gt;file-system-options): New procedures.
* tests/file-systems.scm: New tests.
* doc/guix.texi (File Systems): Add note about the newly added procedures.
</span></span></td><td>Maxim Cournoyer</td></tr>

Age	Commit message (Expand)	Author
2021-07-18	pack: Streamline how files are included in tarballs....Thanks to Guillem Jover <guillem@debian.org> on the OFTC's #debian-dpkg channel for helping with troubleshooting. Letting GNU Tar recursively walk the complete files hierarchy side-steps the risks associated with providing a list of file names: 1. Duplicated files in the archive (recorded as hard links by GNU Tar) 2. Missing parent directories. The above would cause dpkg to malfunction, for example by aborting early and skipping triggers when there were missing parent directories. * guix/scripts/pack.scm (self-contained-tarball/builder): Do not call POPULATE-SINGLE-PROFILE-DIRECTORY, which creates extraneous files such as /root. Instead, call POPULATE-STORE and INSTALL-DATABASE-AND-GC-ROOTS individually to more precisely generate the file system. Replace the list of files by the current directory, "." and streamline the way options are passed. * gnu/system/file-systems.scm (reduce-directories): Remove procedure. * tests/file-systems.scm ("reduce-directories"): Remove test.	Maxim Cournoyer
2021-06-29	pack: Prevent duplicate files in tar archives....Tar translate duplicate files in the archive into hard links. These can cause problems, as not every tool support them; for example dpkg doesn't. * gnu/system/file-systems.scm (reduce-directories): New procedure. (file-prefix?): Lift the restriction on file prefix. The procedure can be useful for comparing relative file names. Adjust doc. (file-name-depth): New procedure, extracted from ... (btrfs-store-subvolume-file-name): ... here. * guix/scripts/pack.scm (self-contained-tarball/builder): Use reduce-directories. * tests/file-systems.scm ("reduce-directories"): New test.	Maxim Cournoyer
2020-05-20	bootloader: grub: Allow booting from a Btrfs subvolume....* gnu/bootloader/grub.scm (strip-mount-point): Remove procedure. (normalize-file): Add procedure. (grub-configuration-file): New BTRFS-SUBVOLUME-FILE-NAME parameter. When defined, prepend its value to the kernel and initrd file names, using the NORMALIZE-FILE procedure. Adjust the call to EYE-CANDY to pass the BTRFS-SUBVOLUME-FILE-NAME argument. Normalize the KEYMAP file as well. (eye-candy): Add a BTRFS-SUBVOLUME-FILE-NAME parameter, and use it, along with the NORMALIZE-FILE procedure, to normalize the FONT-FILE and IMAGE nested variables. Adjust doc. * gnu/bootloader/depthcharge.scm (depthcharge-configuration-file): Adapt. * gnu/bootloader/extlinux.scm (extlinux-configuration-file): Likewise. * gnu/system/file-systems.scm (btrfs-subvolume?) (btrfs-store-subvolume-file-name): New procedures. * gnu/system.scm (operating-system-bootcfg): Specify the Btrfs subvolume file name the store resides on to the `operating-system-bootcfg' procedure, using the new BTRFS-SUBVOLUME-FILE-NAME argument. * doc/guix.texi (File Systems): Add a Btrfs subsection to document the use of subvolumes. * gnu/tests/install.scm (%btrfs-root-on-subvolume-os) (%btrfs-root-on-subvolume-os-source) (%btrfs-root-on-subvolume-installation-script) (%test-btrfs-root-on-subvolume-os): New variables.	Maxim Cournoyer
2020-05-20	file-systems: Add helpers for parsing the options string into an alist....* gnu/system/file-systems.scm (file-system-options->alist) (alist->file-system-options): New procedures. * tests/file-systems.scm: New tests. * doc/guix.texi (File Systems): Add note about the newly added procedures.	Maxim Cournoyer