@simonmichal commented on this pull request. > @@ -60,6 +60,7 @@ namespace XrdZip cdSize = *reinterpret_cast<const uint32_t*>( buffer + 12 ); cdOffset = *reinterpret_cast<const uint32_t*>( buffer + 16 ); commentLength = *reinterpret_cast<const uint16_t*>( buffer + 20 ); + if(maxSize > 0 && (uint32_t)(eocdBaseSize + commentLength) > maxSize) throw bad_data(); Could you please move the `throw` statement to a new line? > @@ -321,10 +321,17 @@ namespace XrdCl "End-of-central-directory signature not found." ); Pipeline::Stop( error ); } + try{ Are you using a try-catch block only because of the `throw` statement in line 328 (BTW please move it to the next line), if yes then it would make more sense to replace the `throw` directly with a call to `Pipeline::Stop( error )`. On the other hand, if we also want to cover the `EOCD` constructor it would make sense to pass the `maxSize` argument to it (in this case the try-catch block is justified). -- Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/pull/1744#pullrequestreview-1049223176 You are receiving this because you are subscribed to this thread. Message ID: <[log in to unmask]> ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1