From 21d97a3b6c2dc1f411c30ad09cf0e1cf05f0c683 Mon Sep 17 00:00:00 2001
From: ckolivas <kernel@kolivas.org>
Date: Thu, 12 Feb 2026 19:10:09 +1100
Subject: [PATCH] Sanity check for potentially maliciously encoded expected
 size in magic header.

---
 lrzip.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/lrzip.c b/lrzip.c
index 4cb305b..e004cf9 100644
--- a/lrzip.c
+++ b/lrzip.c
@@ -229,10 +229,14 @@ static bool get_magic(rzip_control *control, char *magic)
 
 	/* Support the convoluted way we described size in versions < 0.40 */
 	if (control->major_version == 0 && control->minor_version < 4) {
+		i64 ormask;
 		memcpy(&v, &magic[6], 4);
 		expected_size = ntohl(v);
 		memcpy(&v, &magic[10], 4);
-		expected_size |= ((i64)ntohl(v)) << 32;
+		ormask = ((i64)ntohl(v));
+		if (ormask >  0x7FFFFFFF)
+			failure_return(("Invalid expected size encoded in magic header\n"), false);
+		expected_size |= ormask << 32;
 	} else {
 		memcpy(&expected_size, &magic[6], 8);
 		expected_size = le64toh(expected_size);