Fix CVE-2017-5978: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5978 Patch copied from Debian. Index: zziplib-0.13.62/zzip/memdisk.c =================================================================== --- zziplib-0.13.62.orig/zzip/memdisk.c +++ zziplib-0.13.62/zzip/memdisk.c @@ -180,7 +180,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI * that exists in the other, ... but we will prefer the disk entry. */ item->zz_comment = zzip_disk_entry_strdup_comment(disk, entry); - item->zz_name = zzip_disk_entry_strdup_name(disk, entry); + item->zz_name = zzip_disk_entry_strdup_name(disk, entry) ?: strdup(""); item->zz_data = zzip_file_header_to_data(header); item->zz_flags = zzip_disk_entry_get_flags(entry); item->zz_compr = zzip_disk_entry_get_compr(entry); @@ -197,7 +197,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI int /* */ ext2 = zzip_file_header_get_extras(header); char *_zzip_restrict ptr2 = zzip_file_header_to_extras(header); - if (ext1) + if (ext1 && ((ptr1 + ext1) < disk->endbuf)) { void *mem = malloc(ext1 + 2); item->zz_ext[1] = mem; @@ -206,7 +206,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI ((char *) (mem))[ext1 + 0] = 0; ((char *) (mem))[ext1 + 1] = 0; } - if (ext2) + if (ext2 && ((ptr2 + ext2) < disk->endbuf)) { void *mem = malloc(ext2 + 2); item->zz_ext[2] = mem;