ofz#57529 Integer-overflow

Change-Id: I93775299aa340e2e645a04be5d0bc36a9caea103
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/149773
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolanm@redhat.com>

1 files changed, 7 insertions, 2 deletions

diff --git a/package/source/zipapi/XUnbufferedStream.cxx b/package/source/zipapi/XUnbufferedStream.cxx
index b0a18cc0a683..e3c31d5fca1c 100644
--- a/package/source/zipapi/XUnbufferedStream.cxx
+++ b/package/source/zipapi/XUnbufferedStream.cxx
@@ -28,6 +28,7 @@
 #include <algorithm>
 #include <string.h>
 
+#include <o3tl/safeint.hxx>
 #include <osl/diagnose.h>
 #include <osl/mutex.hxx>
 #include <utility>
@@ -65,20 +66,24 @@ XUnbufferedStream::XUnbufferedStream(
 , mbCheckCRC(!bRecoveryMode)
 {
     mnZipCurrent = maEntry.nOffset;
+    sal_Int64 nSize;
     if ( mbRawStream )
     {
         mnZipSize = maEntry.nMethod == DEFLATED ? maEntry.nCompressedSize : maEntry.nSize;
-        mnZipEnd = maEntry.nOffset + mnZipSize;
+        nSize = mnZipSize;
     }
     else
     {
         mnZipSize = maEntry.nSize;
-        mnZipEnd = maEntry.nMethod == DEFLATED ? maEntry.nOffset + maEntry.nCompressedSize : maEntry.nOffset + maEntry.nSize;
+        nSize = maEntry.nMethod == DEFLATED ? maEntry.nCompressedSize : maEntry.nSize;
     }
 
     if (mnZipSize < 0)
         throw ZipIOException("The stream seems to be broken!");
 
+    if (o3tl::checked_add(maEntry.nOffset, nSize, mnZipEnd))
+        throw ZipIOException("Integer-overflow");
+
     bool bHaveEncryptData = rData.is() && rData->m_aInitVector.hasElements() &&
         ((rData->m_aSalt.hasElements() && rData->m_nIterationCount != 0)
          ||