From 98cffbce032d1f2994f494503bc7945ee0c282e1 Mon Sep 17 00:00:00 2001
From: Klaus Post <klauspost@gmail.com>
Date: Fri, 2 Dec 2022 17:53:24 +0100
Subject: [PATCH] s3zip: Limit over-read for single file (#16161)

---
 cmd/s3-zip-handlers.go | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/cmd/s3-zip-handlers.go b/cmd/s3-zip-handlers.go
index fc6dbd880..ef6baf00f 100644
--- a/cmd/s3-zip-handlers.go
+++ b/cmd/s3-zip-handlers.go
@@ -179,8 +179,13 @@ func (api objectAPIHandlers) getObjectInArchiveFileHandler(ctx context.Context,
 	var rc io.ReadCloser
 
 	if file.UncompressedSize64 > 0 {
-		// We do not know where the file ends, but the returned reader only returns UncompressedSize.
-		rs := &HTTPRangeSpec{Start: file.Offset, End: -1}
+		// There may be number of header bytes before the content.
+		// Reading 64K extra. This should more than cover name and any "extra" details.
+		end := file.Offset + int64(file.CompressedSize64) + 64<<10
+		if end > zipObjInfo.Size {
+			end = zipObjInfo.Size
+		}
+		rs := &HTTPRangeSpec{Start: file.Offset, End: end}
 		gr, err := objectAPI.GetObjectNInfo(ctx, bucket, zipPath, rs, nil, readLock, opts)
 		if err != nil {
 			writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL)