Prevent overflow errors, and add a correctness comment

Kijewski · Kijewski · commit 11b6fc1bb631 · 2026-03-29T00:20:00.000+01:00
diff --git a/api/src/sign/mod.rs b/api/src/sign/mod.rs
@@ -78,7 +78,11 @@ pub fn gather_signature_data(
         return Err(SignaturesError::Empty.into());
     }
 
-    let signature_bytes = HEADER_SIZE + keys.len() * SIGNATURE_LENGTH;
+    let signature_bytes = keys
+        .len()
+        .checked_mul(SIGNATURE_LENGTH)
+        .and_then(|s| s.checked_add(HEADER_SIZE))
+        .ok_or(SignaturesError::TooManyKeys)?;
     if signature_bytes > BUF_LIMIT {
         return Err(SignaturesError::TooManyKeys.into());
     }
diff --git a/api/src/sign/zip.rs b/api/src/sign/zip.rs
@@ -41,7 +41,11 @@ where
     if keys.len() > SignatureCountLeInt::MAX as usize {
         return Err(Error::TooManyKeys.into());
     }
-    let signature_bytes = SIGNATURE_LENGTH * keys.len() + HEADER_SIZE;
+    let signature_bytes = keys
+        .len()
+        .checked_mul(SIGNATURE_LENGTH)
+        .and_then(|s| s.checked_add(HEADER_SIZE))
+        .ok_or(Error::TooManyKeys)?;
     if signature_bytes > BUF_LIMIT {
         return Err(Error::TooManyKeys.into());
     }
diff --git a/api/src/verify/mod.rs b/api/src/verify/mod.rs
@@ -105,7 +105,9 @@ where
     if signature_count == 0 {
         return Err(SignaturesError::Empty.into());
     }
-    let signature_bytes = signature_count * SIGNATURE_LENGTH;
+    let signature_bytes = signature_count
+        .checked_mul(SIGNATURE_LENGTH)
+        .ok_or(SignaturesError::MagicHeader)?;
     if signature_bytes > BUF_LIMIT {
         return Err(SignaturesError::MagicHeader.into());
     }
diff --git a/api/src/verify_unsign_tar.rs b/api/src/verify_unsign_tar.rs
@@ -98,6 +98,12 @@ where
     if data[..GZIP_START.len()] != *GZIP_START {
         return Err(TarReadSignaturesError::Gzip);
     }
+    // `base64` already ensures that no `NUL` was contained in the input. A `NUL` would mean that
+    // the signature data was broken / contained inside another `DEFLATE` block. I don't think
+    // forging a `.tar.gz` file this way could be used for an attack, anyway, because an empty
+    // `DEFLATE` block cannot contain data. Being "empty" and "containing data" at the same time …
+    // But without any `NUL` check, `zipsign-api` could possibly say "this file is fine", when it's
+    // actually broken.
     let Ok(data) = BASE64_STANDARD.decode(&data[GZIP_START.len()..]) else {
         return Err(TarReadSignaturesError::Base64);
     };

Original file line number	Diff line number	Diff line change
`@@ -78,7 +78,11 @@ pub fn gather_signature_data(`
`78`	`78`	`return Err(SignaturesError::Empty.into());`
`79`	`79`	`}`
`80`	`80`
`81`		`- let signature_bytes = HEADER_SIZE + keys.len() * SIGNATURE_LENGTH;`
	`81`	`+ let signature_bytes = keys`
	`82`	`+ .len()`
	`83`	`+ .checked_mul(SIGNATURE_LENGTH)`
	`84`	`+ .and_then(\|s\| s.checked_add(HEADER_SIZE))`
	`85`	`+ .ok_or(SignaturesError::TooManyKeys)?;`
`82`	`86`	`if signature_bytes > BUF_LIMIT {`
`83`	`87`	`return Err(SignaturesError::TooManyKeys.into());`
`84`	`88`	`}`
Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,11 @@ where`
`41`	`41`	`if keys.len() > SignatureCountLeInt::MAX as usize {`
`42`	`42`	`return Err(Error::TooManyKeys.into());`
`43`	`43`	`}`
`44`		`- let signature_bytes = SIGNATURE_LENGTH * keys.len() + HEADER_SIZE;`
	`44`	`+ let signature_bytes = keys`
	`45`	`+ .len()`
	`46`	`+ .checked_mul(SIGNATURE_LENGTH)`
	`47`	`+ .and_then(\|s\| s.checked_add(HEADER_SIZE))`
	`48`	`+ .ok_or(Error::TooManyKeys)?;`
`45`	`49`	`if signature_bytes > BUF_LIMIT {`
`46`	`50`	`return Err(Error::TooManyKeys.into());`
`47`	`51`	`}`
Original file line number	Diff line number	Diff line change
`@@ -105,7 +105,9 @@ where`
`105`	`105`	`if signature_count == 0 {`
`106`	`106`	`return Err(SignaturesError::Empty.into());`
`107`	`107`	`}`
`108`		`- let signature_bytes = signature_count * SIGNATURE_LENGTH;`
	`108`	`+ let signature_bytes = signature_count`
	`109`	`+ .checked_mul(SIGNATURE_LENGTH)`
	`110`	`+ .ok_or(SignaturesError::MagicHeader)?;`
`109`	`111`	`if signature_bytes > BUF_LIMIT {`
`110`	`112`	`return Err(SignaturesError::MagicHeader.into());`
`111`	`113`	`}`