From 5195e788d4ae4a3fcbfe1f147c9cdd39e6c11150 Mon Sep 17 00:00:00 2001
From: Vadim Zeitlin <vadim@wxwidgets.org>
Date: Sat, 28 Oct 2017 15:02:12 +0200
Subject: [PATCH] Fix unsigned integer overflow in ZIP reading code

Blindly adding 4 to an unsigned length field could result in 0 and this
led to an infinite loop while iterating over all header fields.

Avoid this by promoting the length to int first, before adding 4 to it.

Credit to OSS-Fuzz: this solves its issue 4083.
---
 src/common/zipstrm.cpp | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/common/zipstrm.cpp b/src/common/zipstrm.cpp
index 6984da8ad3..3aec0dd195 100644
--- a/src/common/zipstrm.cpp
+++ b/src/common/zipstrm.cpp
@@ -1065,9 +1065,13 @@ bool wxZipEntry::LoadExtraInfo(const char* extraData, wxUint16 extraLen, bool lo
             return true;
         }
 
-        fieldLen += 4;
-        extraData += fieldLen;
-        extraLen -= fieldLen;
+        // Avoid "optimizing" the lines below by doing "fieldLen += 4" as this
+        // could overflow wxUint16 range and, at worst, make fieldLen equal to
+        // 0 resulting in an infinite loop. Written as it is now, everything is
+        // promoted to int, which has range large enough to deal with any value
+        // of the field length.
+        extraData += fieldLen + 4;
+        extraLen -= fieldLen + 4;
     }
 
     // extraInfo had unknown format