Problem description: Trying to write a large (>4Gb) zip-ed image results to immediate error:  The error is confusing, since the .zip file is certainly not encrypted. Steps to reproduce: 1. On a Ubuntu Linux machine create an image file larger than 4 Gb: ``` dd if=/dev/zero of=1.img bs=1M count=5K ``` 2. Compress with zip: ``` zip 1.img.zip 1.img ``` 3. Open 1.img.zip file in UsbImager and try to write it. Root cause: I believe the error is because of the wrong buffer bounds calculation while parsing zip64 extra header in [stream_open(), src/stream.c](https://gitlab.com/bztsrc/usbimager/-/blob/master/src/stream.c?ref_type=heads#L560): `sizeof(ctx->compBuf)` evaluates to `unsigned char *` pointer size (8 bytes), and not the actual buffer size. Same problem for [Zstd parsing](https://gitlab.com/bztsrc/usbimager/-/blob/master/src/stream.c?ref_type=heads#L492). Please consider to apply the following patch: ``` diff --git a/src/stream.c b/src/stream.c index 1f1930c..e47ba08 100644 --- a/src/stream.c +++ b/src/stream.c @@ -489,7 +489,7 @@ int stream_open(stream_t *ctx, char *fn, int uncompr) if(verbose) printf(" zstd\r\n"); ctx->compSize = fs; ctx->cmrdSize = hs; - zr = (uint64_t)ZSTD_getFrameContentSize(ctx->compBuf, sizeof(ctx->compBuf)); + zr = (uint64_t)ZSTD_getFrameContentSize(ctx->compBuf, buffer_size); if(zr != ZSTD_CONTENTSIZE_UNKNOWN && zr != ZSTD_CONTENTSIZE_ERROR) ctx->fileSize = zr; else @@ -557,7 +557,7 @@ int stream_open(stream_t *ctx, char *fn, int uncompr) /* zip64 */ if(verbose) printf(" zip64\r\n"); for(x = 30 + ctx->compBuf[26] + (ctx->compBuf[27]<<8), y = x + ctx->compBuf[28] + (ctx->compBuf[29]<<8); - x < y && x < (int)sizeof(ctx->compBuf) - 4; x += 4 + ctx->compBuf[x + 2] + (ctx->compBuf[x + 3]<<8)) + x < y && x < buffer_size - 4; x += 4 + ctx->compBuf[x + 2] + (ctx->compBuf[x + 3]<<8)) if(ctx->compBuf[x] == 1 && ctx->compBuf[x + 1] == 0) { memcpy(&ctx->compSize, ctx->compBuf + x + 12, 8); memcpy(&ctx->fileSize, ctx->compBuf + x + 4, 8); ```