Check for overflow when calculating size of zip

2026-05-14 11:11:35 +00:00 · 2025-12-12 12:02:29 +11:00
parent 7f112a761c
commit 86845f2505
1 changed files with 6 additions and 0 deletions
--- a/src/extract.go
+++ b/src/extract.go
@@ -9,6 +9,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"math"
 	"os"
 	"strings"

@@ -174,6 +175,11 @@ func ExtractZip(ctx context.Context, reader io.Reader, oldManifest *Manifest) (*
 	// Detect and defuse zipbombs.
 	var totalSize uint64
 	for _, file := range archive.File {
+		if totalSize+file.UncompressedSize64 < totalSize {
+			// Would overflow
+			totalSize = math.MaxUint64
+			break
+		}
 		totalSize += file.UncompressedSize64
 	}
 	if totalSize > config.Limits.MaxSiteSize.Bytes() {