Extracted from a patch in Fedora.

http://pkgs.fedoraproject.org/cgit/unzip.git/tree/unzip-6.0-heap-overflow-infloop.patch?id=d18f821e

From bd150334fb4084f5555a6be26b015a0671cb5b74 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Tue, 22 Sep 2015 18:52:23 +0200
Subject: [PATCH 3/3] extract: prevent unsigned overflow on invalid input

Suggested-by: Stefan Cornelius
---
 extract.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/extract.c b/extract.c
index 29db027..b9ae667 100644
--- a/extract.c
+++ b/extract.c
@@ -1257,8 +1257,17 @@ static int extract_or_test_entrylist(__G__ numchunk,
         if (G.lrec.compression_method == STORED) {
             zusz_t csiz_decrypted = G.lrec.csize;
 
-            if (G.pInfo->encrypted)
+            if (G.pInfo->encrypted) {
+                if (csiz_decrypted <= 12) {
+                    /* handle the error now to prevent unsigned overflow */
+                    Info(slide, 0x401, ((char *)slide,
+                      LoadFarStringSmall(ErrUnzipNoFile),
+                      LoadFarString(InvalidComprData),
+                      LoadFarStringSmall2(Inflate)));
+                    return PK_ERR;
+                }
                 csiz_decrypted -= 12;
+            }
             if (G.lrec.ucsize != csiz_decrypted) {
                 Info(slide, 0x401, ((char *)slide,
                   LoadFarStringSmall2(WrnStorUCSizCSizDiff),
-- 
2.5.2

nput type='hidden' name='id' value='9f5115dbf502c6d2ce4200f5b4bac93aef5b02e2'/><select name='qt'>
<option value='grep'>log msg</option>
<option value='author'>author</option>
<option value='committer'>committer</option>
<option value='range'>range</option>
</select>
<input class='txt' type='search' size='10' name='q' value=''/>
<input type='submit' value='search'/>
</form>
</td></tr></table>
<div class='path'>path: <a href='/guix/log/?id=9f5115dbf502c6d2ce4200f5b4bac93aef5b02e2'>root</a>/<a href='/guix/log/m4?id=9f5115dbf502c6d2ce4200f5b4bac93aef5b02e2'>m4</a></div><div class='content'><table class='list nowrap'><tr class='nohover'><th class='left'>Age</th><th class='left'>Commit message (<a href='/guix/log/m4?id=9f5115dbf502c6d2ce4200f5b4bac93aef5b02e2&amp;showmsg=1'>Expand</a>)</th><th class='left'>Author</th></tr>
<tr><td><span title='2023-11-07 18:07:11 +0200'>2023-11-07</span></td><td><a href='/guix/commit/m4?id=220759226e93d76d8d80058f69f9d8b29714bbde'>build: Fix spelling in m4 macros.</a><span class='msg-avail'>...<span class='msg-tooltip'>* m4/guix.m4 (GUIX_CHECK_GUILE_SSH): Fix spelling of parameter.
(GUIX_CHECK_FILE_NAME_LIMITS): Fix spelling of maximum.

Change-Id: I93c80441393622a4bc06daa475eee13874cca527
</span></span></td><td>Efraim Flashner</td></tr>
<tr><td><span title='2023-03-16 12:37:03 +0100'>2023-03-16</span></td><td><a href='/guix/commit/m4?id=8e3dfb3d6dfc0f19bd9a9f9b163f0f3d7dccc865'>build: Correct guix_system on musl libc distros.</a><span class='msg-avail'>...<span class='msg-tooltip'>* m4/guix.m4 (GUIX_SYSTEM_TYPE): Add linux-musl* case. This prevents
the macro from mis-parsing the host OS, which causes breakage when
building from source.

Signed-off-by: Ludovic Courtès &lt;ludo@gnu.org&gt;
</span></span></td><td>Antero Mejr</td></tr>

Age	Commit message (Expand)	Author
2023-11-07	build: Fix spelling in m4 macros....* m4/guix.m4 (GUIX_CHECK_GUILE_SSH): Fix spelling of parameter. (GUIX_CHECK_FILE_NAME_LIMITS): Fix spelling of maximum. Change-Id: I93c80441393622a4bc06daa475eee13874cca527	Efraim Flashner
2023-03-16	build: Correct guix_system on musl libc distros....* m4/guix.m4 (GUIX_SYSTEM_TYPE): Add linux-musl* case. This prevents the macro from mis-parsing the host OS, which causes breakage when building from source. Signed-off-by: Ludovic Courtès <ludo@gnu.org>	Antero Mejr