zip: sync with upstream

See golang/go#66869
klauspost · Jun 5, 2024 · 32bd396 · 32bd396
1 parent d9f6f55
commit 32bd396
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 2 deletions.
diff --git a/zip/reader.go b/zip/reader.go
@@ -630,9 +630,13 @@ func findSignatureInBlock(b []byte) int {
 		if b[i] == 'P' && b[i+1] == 'K' && b[i+2] == 0x05 && b[i+3] == 0x06 {
 			// n is length of comment
 			n := int(b[i+directoryEndLen-2]) | int(b[i+directoryEndLen-1])<<8
-			if n+directoryEndLen+i <= len(b) {
-				return i
+			if n+directoryEndLen+i > len(b) {
+				// Truncated comment.
+				// Some parsers (such as Info-ZIP) ignore the truncated comment
+				// rather than treating it as a hard error.
+				return -1
 			}
+			return i
 		}
 	}
 	return -1

diff --git a/zip/reader_test.go b/zip/reader_test.go
@@ -553,6 +553,14 @@ var tests = []ZipTest{
 			},
 		},
 	},
+	// Issue 66869: Don't skip over an EOCDR with a truncated comment.
+	// The test file sneakily hides a second EOCDR before the first one;
+	// previously we would extract one file ("file") from this archive,
+	// while most other tools would reject the file or extract a different one ("FILE").
+	{
+		Name:  "comment-truncated.zip",
+		Error: ErrFormat,
+	},
 }
 
 func TestReader(t *testing.T) {

diff --git a/zip/testdata/comment-truncated.zip b/zip/testdata/comment-truncated.zip