From 8415d12c6157858aa54b1364c2fe65069a568345 Mon Sep 17 00:00:00 2001
From: Vadim Zeitlin <vadim@wxwidgets.org>
Date: Sat, 28 Oct 2017 15:02:12 +0200
Subject: [PATCH] Fix signed integer overflow in ZIP reading code

Subtracting a huge negative offset from the current position could
overflow it, which was correctly detected as undefined behaviour by
UBSAN.

Credit to OSS-Fuzz: this solves its issue 4388.
---
 src/common/zipstrm.cpp | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/common/zipstrm.cpp b/src/common/zipstrm.cpp
index 3aec0dd195..063c1edf4c 100644
--- a/src/common/zipstrm.cpp
+++ b/src/common/zipstrm.cpp
@@ -1719,8 +1719,11 @@ bool wxZipInputStream::LoadEndRecord()
                 ReadSignature() == magic) {
         m_signature = magic;
         m_position = endPos - recSize;
-        m_offsetAdjustment = m_position - endrec.GetOffset();
-        return true;
+        if ( endrec.GetOffset() >= 0 && endrec.GetOffset() < m_position )
+        {
+            m_offsetAdjustment = m_position - endrec.GetOffset();
+            return true;
+        }
     }
 
     wxLogError(_("can't find central directory in zip"));