ofz#65480: Integer-overflow

Change-Id: Ie771e6e37237907698e4c39eb50cd940500b86ca Reviewed-on: https://gerrit.libreoffice.org/c/core/+/161540 Tested-by: Caolán McNamara <caolan.mcnamara@collabora.com> Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
author: Caolán McNamara <caolan.mcnamara@collabora.com> 2024-01-02 12:31:01 +0000
committer: Caolán McNamara <caolan.mcnamara@collabora.com> 2024-01-02 20:15:00 +0100
commit: 69181dd430543db21fc0e61b70033ef484708c1c (patch)
tree: 01f5e20c851151192b58c32b8eb42d6d998ac5e8 /package
parent: 4d8b5a91a76262d6dd58342b248e542ddea1fdaf (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/package/source/zipapi/ZipFile.cxx b/package/source/zipapi/ZipFile.cxx
index 6137e3a0bb0a..474b73ff53db 100644
--- a/package/source/zipapi/ZipFile.cxx
+++ b/package/source/zipapi/ZipFile.cxx
@@ -1126,8 +1126,10 @@ sal_Int32 ZipFile::readCEN()
             aEntry.nSize = nSize;
             aEntry.nOffset = nOffset;
 
-            aEntry.nOffset += nLocPos;
-            aEntry.nOffset *= -1;
+            if (o3tl::checked_add<sal_Int64>(aEntry.nOffset, nLocPos, aEntry.nOffset))
+                throw ZipException("Integer-overflow");
+            if (o3tl::checked_multiply<sal_Int64>(aEntry.nOffset, -1, aEntry.nOffset))
+                throw ZipException("Integer-overflow");
 
             aMemGrabber.skipBytes(nCommentLen);
             aEntries[aEntry.sPath] = aEntry;
author	Caolán McNamara <caolan.mcnamara@collabora.com>	2024-01-02 12:31:01 +0000
committer	Caolán McNamara <caolan.mcnamara@collabora.com>	2024-01-02 20:15:00 +0100
commit	69181dd430543db21fc0e61b70033ef484708c1c (patch)
tree	01f5e20c851151192b58c32b8eb42d6d998ac5e8 /package
parent	4d8b5a91a76262d6dd58342b248e542ddea1fdaf (diff)