From ef5ce23d85c31b627f205b7800ee1a1573d25717 Mon Sep 17 00:00:00 2001
From: nickbabcock <nbabcock19@hotmail.com>
Date: Mon, 10 Aug 2020 21:22:49 -0500
Subject: [PATCH] Fix overflow in directory counts of ZIP64 files

---
 src/read.rs                    |  19 ++++++++++++++++++-
 tests/data/invalid_offset2.zip | Bin 0 -> 117 bytes
 2 files changed, 18 insertions(+), 1 deletion(-)
 create mode 100644 tests/data/invalid_offset2.zip

diff --git a/src/read.rs b/src/read.rs
index e095a96a..cfe4078b 100644
--- a/src/read.rs
+++ b/src/read.rs
@@ -263,7 +263,13 @@ impl<R: Read + io::Seek> ZipArchive<R> {
                     );
                 }
 
-                let directory_start = footer.central_directory_offset + archive_offset;
+                let directory_start = footer
+                    .central_directory_offset
+                    .checked_add(archive_offset)
+                    .ok_or_else(|| {
+                        ZipError::InvalidArchive("Invalid central directory size or offset")
+                    })?;
+
                 Ok((
                     archive_offset,
                     directory_start,
@@ -834,6 +840,17 @@ mod test {
         assert!(reader.is_err());
     }
 
+    #[test]
+    fn invalid_offset2() {
+        use super::ZipArchive;
+        use std::io;
+
+        let mut v = Vec::new();
+        v.extend_from_slice(include_bytes!("../tests/data/invalid_offset2.zip"));
+        let reader = ZipArchive::new(io::Cursor::new(v));
+        assert!(reader.is_err());
+    }
+
     #[test]
     fn zip64_with_leading_junk() {
         use super::ZipArchive;
diff --git a/tests/data/invalid_offset2.zip b/tests/data/invalid_offset2.zip
new file mode 100644
index 0000000000000000000000000000000000000000..944c611df1878ed5a0cbc3ba0ff408ff18770b11
GIT binary patch
literal 117
zcmWIWW@g!>{vQYeyxG`5Gzi>)P*9SM0SIIn0#F2zIhsJd>>x#qAOZ+<SQ%IXyjfuy
NHDQWb8Gxd;ssK2mKz;xK

literal 0
HcmV?d00001