From 86845f250508cf94cad35df8ff35aa4431f24042 Mon Sep 17 00:00:00 2001
From: David Leadbeater <dgl@dgl.cx>
Date: Fri, 12 Dec 2025 12:02:29 +1100
Subject: [PATCH] Check for overflow when calculating size of zip

---
 src/extract.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/extract.go b/src/extract.go
index d404578..59ef0ac 100644
--- a/src/extract.go
+++ b/src/extract.go
@@ -9,6 +9,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"math"
 	"os"
 	"strings"
 
@@ -174,6 +175,11 @@ func ExtractZip(ctx context.Context, reader io.Reader, oldManifest *Manifest) (*
 	// Detect and defuse zipbombs.
 	var totalSize uint64
 	for _, file := range archive.File {
+		if totalSize+file.UncompressedSize64 < totalSize {
+			// Would overflow
+			totalSize = math.MaxUint64
+			break
+		}
 		totalSize += file.UncompressedSize64
 	}
 	if totalSize > config.Limits.MaxSiteSize.Bytes() {