Fix CVE-2017-5974: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5974 Patch copied from Debian. Index: zziplib-0.13.62/zzip/memdisk.c =================================================================== --- zziplib-0.13.62.orig/zzip/memdisk.c +++ zziplib-0.13.62/zzip/memdisk.c @@ -216,12 +216,12 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI /* override sizes/offsets with zip64 values for largefile support */ zzip_extra_zip64 *block = (zzip_extra_zip64 *) zzip_mem_entry_extra_block(item, ZZIP_EXTRA_zip64); - if (block) + if (block && ZZIP_GET16(block->z_datasize) >= (8 + 8 + 8 + 4)) { - item->zz_usize = __zzip_get64(block->z_usize); - item->zz_csize = __zzip_get64(block->z_csize); - item->zz_offset = __zzip_get64(block->z_offset); - item->zz_diskstart = __zzip_get32(block->z_diskstart); + item->zz_usize = ZZIP_GET64(block->z_usize); + item->zz_csize = ZZIP_GET64(block->z_csize); + item->zz_offset = ZZIP_GET64(block->z_offset); + item->zz_diskstart = ZZIP_GET32(block->z_diskstart); } } /* NOTE: