rubyzip 2.4.1 → 3.2.2

data/lib/zip/central_directory.rb

@@ -1,45 +1,79 @@
+# frozen_string_literal: true
+
+require 'forwardable'
+
+require_relative 'dirtyable'
+
 module Zip
-  class CentralDirectory
-    include Enumerable
+  class CentralDirectory # :nodoc:
+    extend Forwardable
+    include Dirtyable
+
+    END_OF_CD_SIG          = 0x06054b50
+    ZIP64_END_OF_CD_SIG    = 0x06064b50
+    ZIP64_EOCD_LOCATOR_SIG = 0x07064b50
 
-    END_OF_CDS             = 0x06054b50
-    ZIP64_END_OF_CDS       = 0x06064b50
-    ZIP64_EOCD_LOCATOR     = 0x07064b50
-    MAX_END_OF_CDS_SIZE    = 65_536 + 18
     STATIC_EOCD_SIZE       = 22
+    ZIP64_STATIC_EOCD_SIZE = 56
+    ZIP64_EOCD_LOC_SIZE    = 20
+    MAX_FILE_COMMENT_SIZE  = (1 << 16) - 1
+    MAX_END_OF_CD_SIZE     =
+      MAX_FILE_COMMENT_SIZE + STATIC_EOCD_SIZE + ZIP64_EOCD_LOC_SIZE
 
-    attr_reader :comment
+    attr_accessor :comment
 
-    # Returns an Enumerable containing the entries.
-    def entries
-      @entry_set.entries
-    end
+    def_delegators :@entry_set,
+                   :<<, :delete, :each, :entries, :find_entry, :glob,
+                   :include?, :size
+
+    mark_dirty :<<, :comment=, :delete
 
-    def initialize(entries = EntrySet.new, comment = '') #:nodoc:
-      super()
+    def initialize(entries = EntrySet.new, comment = '') # :nodoc:
+      super(dirty_on_create: false)
       @entry_set = entries.kind_of?(EntrySet) ? entries : EntrySet.new(entries)
       @comment   = comment
     end
 
-    def write_to_stream(io) #:nodoc:
+    def read_from_stream(io)
+      read_eocds(io)
+      read_central_directory_entries(io)
+    end
+
+    def write_to_stream(io, suppress_extra_fields: false) # :nodoc:
       cdir_offset = io.tell
-      @entry_set.each { |entry| entry.write_c_dir_entry(io) }
+      @entry_set.each do |entry|
+        entry.write_c_dir_entry(io, suppress_extra_fields: suppress_extra_fields)
+      end
       eocd_offset = io.tell
       cdir_size = eocd_offset - cdir_offset
-      if ::Zip.write_zip64_support
-        need_zip64_eocd = cdir_offset > 0xFFFFFFFF || cdir_size > 0xFFFFFFFF || @entry_set.size > 0xFFFF
-        need_zip64_eocd ||= @entry_set.any? { |entry| entry.extra['Zip64'] }
-        if need_zip64_eocd
-          write_64_e_o_c_d(io, cdir_offset, cdir_size)
-          write_64_eocd_locator(io, eocd_offset)
-        end
+      if Zip.write_zip64_support &&
+         (cdir_offset > 0xFFFFFFFF || cdir_size > 0xFFFFFFFF || @entry_set.size > 0xFFFF)
+        write_64_e_o_c_d(io, cdir_offset, cdir_size)
+        write_64_eocd_locator(io, eocd_offset)
       end
       write_e_o_c_d(io, cdir_offset, cdir_size)
     end
 
-    def write_e_o_c_d(io, offset, cdir_size) #:nodoc:
+    # Reads the End of Central Directory Record (and the Zip64 equivalent if
+    # needs be) and returns the number of entries in the archive. This is a
+    # convenience method that avoids reading in all of the entry data to get a
+    # very quick entry count.
+    def count_entries(io)
+      read_eocds(io)
+      @size
+    end
+
+    def ==(other) # :nodoc:
+      return false unless other.kind_of?(CentralDirectory)
+
+      @entry_set.entries.sort == other.entries.sort && comment == other.comment
+    end
+
+    private
+
+    def write_e_o_c_d(io, offset, cdir_size) # :nodoc:
       tmp = [
-        END_OF_CDS,
+        END_OF_CD_SIG,
         0, # @numberOfThisDisk
         0, # @numberOfDiskWithStartOfCDir
         @entry_set ? [@entry_set.size, 0xFFFF].min : 0,
@@ -52,11 +86,9 @@ module Zip
       io << @comment
     end
 
-    private :write_e_o_c_d
-
-    def write_64_e_o_c_d(io, offset, cdir_size) #:nodoc:
+    def write_64_e_o_c_d(io, offset, cdir_size) # :nodoc:
       tmp = [
-        ZIP64_END_OF_CDS,
+        ZIP64_END_OF_CD_SIG,
         44, # size of zip64 end of central directory record (excludes signature and field itself)
         VERSION_MADE_BY,
         VERSION_NEEDED_TO_EXTRACT_ZIP64,
@@ -70,11 +102,9 @@ module Zip
       io << tmp.pack('VQ<vvVVQ<Q<Q<Q<')
     end
 
-    private :write_64_e_o_c_d
-
     def write_64_eocd_locator(io, zip64_eocd_offset)
       tmp = [
-        ZIP64_EOCD_LOCATOR,
+        ZIP64_EOCD_LOCATOR_SIG,
         0, # number of disk containing the start of zip64 eocd record
         zip64_eocd_offset, # offset of the start of zip64 eocd record in its disk
         1 # total number of disks
@@ -82,127 +112,151 @@ module Zip
       io << tmp.pack('VVQ<V')
     end
 
-    private :write_64_eocd_locator
-
-    def read_64_e_o_c_d(buf) #:nodoc:
-      buf                                           = get_64_e_o_c_d(buf)
-      @size_of_zip64_e_o_c_d                        = Entry.read_zip_64_long(buf)
-      @version_made_by                              = Entry.read_zip_short(buf)
-      @version_needed_for_extract                   = Entry.read_zip_short(buf)
-      @number_of_this_disk                          = Entry.read_zip_long(buf)
-      @number_of_disk_with_start_of_cdir            = Entry.read_zip_long(buf)
-      @total_number_of_entries_in_cdir_on_this_disk = Entry.read_zip_64_long(buf)
-      @size                                         = Entry.read_zip_64_long(buf)
-      @size_in_bytes                                = Entry.read_zip_64_long(buf)
-      @cdir_offset                                  = Entry.read_zip_64_long(buf)
-      @zip_64_extensible                            = buf.slice!(0, buf.bytesize)
-      raise Error, 'Zip consistency problem while reading eocd structure' unless buf.empty?
+    def unpack_64_e_o_c_d(buffer) # :nodoc:
+      _, # ZIP64_END_OF_CD_SIG. We know we have this at this point.
+      @size_of_zip64_e_o_c_d,
+      @version_made_by,
+      @version_needed_for_extract,
+      @number_of_this_disk,
+      @number_of_disk_with_start_of_cdir,
+      @total_number_of_entries_in_cdir_on_this_disk,
+      @size,
+      @size_in_bytes,
+      @cdir_offset = buffer.unpack('VQ<vvVVQ<Q<Q<Q<')
+
+      zip64_extensible_data_size =
+        @size_of_zip64_e_o_c_d - ZIP64_STATIC_EOCD_SIZE + 12
+      @zip64_extensible_data = if zip64_extensible_data_size.zero?
+                                 ''
+                               else
+                                 buffer.slice(
+                                   ZIP64_STATIC_EOCD_SIZE,
+                                   zip64_extensible_data_size
+                                 )
+                               end
+    end
+
+    def unpack_64_eocd_locator(buffer) # :nodoc:
+      _, # ZIP64_EOCD_LOCATOR_SIG. We know we have this at this point.
+      _, zip64_eocd_offset, = buffer.unpack('VVQ<V')
+
+      zip64_eocd_offset
     end
 
-    def read_e_o_c_d(buf) #:nodoc:
-      buf                                           = get_e_o_c_d(buf)
-      @number_of_this_disk                          = Entry.read_zip_short(buf)
-      @number_of_disk_with_start_of_cdir            = Entry.read_zip_short(buf)
-      @total_number_of_entries_in_cdir_on_this_disk = Entry.read_zip_short(buf)
-      @size                                         = Entry.read_zip_short(buf)
-      @size_in_bytes                                = Entry.read_zip_long(buf)
-      @cdir_offset                                  = Entry.read_zip_long(buf)
-      comment_length                                = Entry.read_zip_short(buf)
-      @comment                                      = if comment_length.to_i <= 0
-                                                        buf.slice!(0, buf.size)
-                                                      else
-                                                        buf.read(comment_length)
-                                                      end
-      raise Error, 'Zip consistency problem while reading eocd structure' unless buf.empty?
+    # Unpack the EOCD and return a boolean indicating whether this header is
+    # complete without needing Zip64 extensions.
+    def unpack_e_o_c_d(buffer) # :nodoc: # rubocop:disable Naming/PredicateMethod
+      _, # END_OF_CD_SIG. We know we have this at this point.
+      @number_of_this_disk,
+      @number_of_disk_with_start_of_cdir,
+      @total_number_of_entries_in_cdir_on_this_disk,
+      @size,
+      @size_in_bytes,
+      @cdir_offset,
+      comment_length = buffer.unpack('VvvvvVVv')
+
+      @comment = if comment_length.positive?
+                   buffer.slice(STATIC_EOCD_SIZE, comment_length)
+                 else
+                   ''
+                 end
+
+      !([@number_of_this_disk, @number_of_disk_with_start_of_cdir,
+         @total_number_of_entries_in_cdir_on_this_disk, @size].any?(0xFFFF) ||
+         @size_in_bytes == 0xFFFFFFFF || @cdir_offset == 0xFFFFFFFF)
     end
 
-    def read_central_directory_entries(io) #:nodoc:
+    def read_central_directory_entries(io) # :nodoc:
+      # `StringIO` doesn't raise `EINVAL` if you seek beyond the current end,
+      # so we need to catch that *and* query `io#eof?` here.
+      eof = false
       begin
         io.seek(@cdir_offset, IO::SEEK_SET)
       rescue Errno::EINVAL
-        raise Error, 'Zip consistency problem while reading central directory entry'
+        eof = true
       end
+      raise Error, 'Zip consistency problem while reading central directory entry' if eof || io.eof?
+
       @entry_set = EntrySet.new
       @size.times do
-        @entry_set << Entry.read_c_dir_entry(io)
-      end
-    end
+        entry = Entry.read_c_dir_entry(io)
+        next unless entry
+
+        offset = if entry.zip64?
+                   entry.extra[:zip64].relative_header_offset
+                 else
+                   entry.local_header_offset
+                 end
+
+        unless offset.nil?
+          io_save = io.tell
+          io.seek(offset, IO::SEEK_SET)
+          entry.read_extra_field(read_local_extra_field(io), local: true)
+          io.seek(io_save, IO::SEEK_SET)
+        end
 
-    def read_from_stream(io) #:nodoc:
-      buf = start_buf(io)
-      if zip64_file?(buf)
-        read_64_e_o_c_d(buf)
-      else
-        read_e_o_c_d(buf)
+        @entry_set << entry
       end
-      read_central_directory_entries(io)
     end
 
-    def get_e_o_c_d(buf) #:nodoc:
-      sig_index = buf.rindex([END_OF_CDS].pack('V'))
-      raise Error, 'Zip end of central directory signature not found' unless sig_index
-
-      buf = buf.slice!((sig_index + 4)..(buf.bytesize))
+    def read_local_extra_field(io)
+      buf = io.read(::Zip::LOCAL_ENTRY_STATIC_HEADER_LENGTH) || ''
+      return '' unless buf.bytesize == ::Zip::LOCAL_ENTRY_STATIC_HEADER_LENGTH
 
-      def buf.read(count)
-        slice!(0, count)
-      end
-
-      buf
-    end
+      head, _, _, _, _, _, _, _, _, _, n_len, e_len = buf.unpack('VCCvvvvVVVvv')
+      return '' unless head == ::Zip::LOCAL_ENTRY_SIGNATURE
 
-    def zip64_file?(buf)
-      buf.rindex([ZIP64_END_OF_CDS].pack('V')) && buf.rindex([ZIP64_EOCD_LOCATOR].pack('V'))
-    end
-
-    def start_buf(io)
-      begin
-        io.seek(-MAX_END_OF_CDS_SIZE, IO::SEEK_END)
-      rescue Errno::EINVAL
-        io.seek(0, IO::SEEK_SET)
-      end
-      io.read
+      io.seek(n_len, IO::SEEK_CUR) # Skip over the entry name.
+      io.read(e_len)
     end
 
-    def get_64_e_o_c_d(buf) #:nodoc:
-      zip_64_start = buf.rindex([ZIP64_END_OF_CDS].pack('V'))
-      raise Error, 'Zip64 end of central directory signature not found' unless zip_64_start
+    def read_eocds(io) # :nodoc:
+      base_location, data = eocd_data(io)
 
-      zip_64_locator = buf.rindex([ZIP64_EOCD_LOCATOR].pack('V'))
-      raise Error, 'Zip64 end of central directory signature locator not found' unless zip_64_locator
+      eocd_location = data.rindex([END_OF_CD_SIG].pack('V'))
+      raise Error, 'Zip end of central directory signature not found' unless eocd_location
 
-      buf = buf.slice!((zip_64_start + 4)..zip_64_locator)
+      # Parse the EOCD and return if it is complete without Zip64 extensions.
+      return if unpack_e_o_c_d(data.slice(eocd_location..-1))
 
-      def buf.read(count)
-        slice!(0, count)
+      # Need to read in the Zip64 EOCD locator and then the Zip64 EOCD.
+      zip64_eocd_locator = data.rindex([ZIP64_EOCD_LOCATOR_SIG].pack('V'), eocd_location)
+      unless zip64_eocd_locator
+        raise Error, 'Zip64 end of central directory locator signature expected but not found'
       end
 
-      buf
-    end
-
-    # For iterating over the entries.
-    def each(&a_proc)
-      @entry_set.each(&a_proc)
-    end
-
-    # Returns the number of entries in the central directory (and
-    # consequently in the zip archive).
-    def size
-      @entry_set.size
-    end
+      # Do we already have the Zip64 EOCD in the data we've read?
+      zip64_eocd_location = data.rindex([ZIP64_END_OF_CD_SIG].pack('V'), zip64_eocd_locator)
+
+      zip64_eocd_data =
+        if zip64_eocd_location
+          # Yes.
+          data.slice(zip64_eocd_location..zip64_eocd_locator)
+        else
+          # No. Read its location from the locator and then read it in.
+          zip64_eocd_location = unpack_64_eocd_locator(
+            data.slice(zip64_eocd_locator..eocd_location)
+          )
+          unless zip64_eocd_location
+            raise Error, 'Zip64 end of central directory signature not found'
+          end
+
+          io.seek(zip64_eocd_location, IO::SEEK_SET)
+          io.read(base_location + zip64_eocd_locator - zip64_eocd_location)
+        end
 
-    def self.read_from_stream(io) #:nodoc:
-      cdir = new
-      cdir.read_from_stream(io)
-      cdir
-    rescue Error
-      nil
+      # Finally, unpack the Zip64 EOCD.
+      unpack_64_e_o_c_d(zip64_eocd_data)
     end
 
-    def ==(other) #:nodoc:
-      return false unless other.kind_of?(CentralDirectory)
+    def eocd_data(io)
+      begin
+        io.seek(-MAX_END_OF_CD_SIZE, IO::SEEK_END)
+      rescue Errno::EINVAL
+        io.seek(0, IO::SEEK_SET)
+      end
 
-      @entry_set.entries.sort == other.entries.sort && comment == other.comment
+      [io.tell, io.read]
     end
   end
 end

data/lib/zip/compressor.rb

@@ -1,5 +1,7 @@
+# frozen_string_literal: true
+
 module Zip
-  class Compressor #:nodoc:all
+  class Compressor # :nodoc:all
     def finish; end
   end
 end

data/lib/zip/constants.rb

@@ -1,4 +1,8 @@
+# frozen_string_literal: true
+
 module Zip
+  # :stopdoc:
+
   RUNNING_ON_WINDOWS = RbConfig::CONFIG['host_os'] =~ /mswin|mingw|cygwin/i
 
   CENTRAL_DIRECTORY_ENTRY_SIGNATURE = 0x02014b50
@@ -11,6 +15,8 @@ module Zip
   VERSION_NEEDED_TO_EXTRACT              = 20
   VERSION_NEEDED_TO_EXTRACT_ZIP64        = 45
 
+  SPLIT_FILE_SIGNATURE = 0x08074b50
+
   FILE_TYPE_FILE    = 0o10
   FILE_TYPE_DIR     = 0o04
   FILE_TYPE_SYMLINK = 0o12
@@ -38,27 +44,27 @@ module Zip
   FSTYPE_ATHEOS   = 30
 
   FSTYPES = {
-    FSTYPE_FAT      => 'FAT'.freeze,
-    FSTYPE_AMIGA    => 'Amiga'.freeze,
-    FSTYPE_VMS      => 'VMS (Vax or Alpha AXP)'.freeze,
-    FSTYPE_UNIX     => 'Unix'.freeze,
-    FSTYPE_VM_CMS   => 'VM/CMS'.freeze,
-    FSTYPE_ATARI    => 'Atari ST'.freeze,
-    FSTYPE_HPFS     => 'OS/2 or NT HPFS'.freeze,
-    FSTYPE_MAC      => 'Macintosh'.freeze,
-    FSTYPE_Z_SYSTEM => 'Z-System'.freeze,
-    FSTYPE_CPM      => 'CP/M'.freeze,
-    FSTYPE_TOPS20   => 'TOPS-20'.freeze,
-    FSTYPE_NTFS     => 'NTFS'.freeze,
-    FSTYPE_QDOS     => 'SMS/QDOS'.freeze,
-    FSTYPE_ACORN    => 'Acorn RISC OS'.freeze,
-    FSTYPE_VFAT     => 'Win32 VFAT'.freeze,
-    FSTYPE_MVS      => 'MVS'.freeze,
-    FSTYPE_BEOS     => 'BeOS'.freeze,
-    FSTYPE_TANDEM   => 'Tandem NSK'.freeze,
-    FSTYPE_THEOS    => 'Theos'.freeze,
-    FSTYPE_MAC_OSX  => 'Mac OS/X (Darwin)'.freeze,
-    FSTYPE_ATHEOS   => 'AtheOS'.freeze
+    FSTYPE_FAT      => 'FAT',
+    FSTYPE_AMIGA    => 'Amiga',
+    FSTYPE_VMS      => 'VMS (Vax or Alpha AXP)',
+    FSTYPE_UNIX     => 'Unix',
+    FSTYPE_VM_CMS   => 'VM/CMS',
+    FSTYPE_ATARI    => 'Atari ST',
+    FSTYPE_HPFS     => 'OS/2 or NT HPFS',
+    FSTYPE_MAC      => 'Macintosh',
+    FSTYPE_Z_SYSTEM => 'Z-System',
+    FSTYPE_CPM      => 'CP/M',
+    FSTYPE_TOPS20   => 'TOPS-20',
+    FSTYPE_NTFS     => 'NTFS',
+    FSTYPE_QDOS     => 'SMS/QDOS',
+    FSTYPE_ACORN    => 'Acorn RISC OS',
+    FSTYPE_VFAT     => 'Win32 VFAT',
+    FSTYPE_MVS      => 'MVS',
+    FSTYPE_BEOS     => 'BeOS',
+    FSTYPE_TANDEM   => 'Tandem NSK',
+    FSTYPE_THEOS    => 'Theos',
+    FSTYPE_MAC_OSX  => 'Mac OS/X (Darwin)',
+    FSTYPE_ATHEOS   => 'AtheOS'
   }.freeze
 
   COMPRESSION_METHOD_STORE = 0
@@ -112,4 +118,6 @@ module Zip
     COMPRESSION_METHOD_PPMD        => 'PPMd version I, Rev 1',
     COMPRESSION_METHOD_AES         => 'AES encryption'
   }.freeze
+
+  # :startdoc:
 end

data/lib/zip/crypto/aes_encryption.rb

@@ -0,0 +1,120 @@
+# frozen_string_literal: true
+
+require 'openssl'
+
+module Zip
+  module AESEncryption # :nodoc:
+    VERIFIER_LENGTH = 2
+    BLOCK_SIZE = 16
+    AUTHENTICATION_CODE_LENGTH = 10
+
+    VERSION_AE_1 = 0x01
+    VERSION_AE_2 = 0x02
+
+    VERSIONS = [
+      VERSION_AE_1,
+      VERSION_AE_2
+    ].freeze
+
+    STRENGTH_128_BIT = 0x01
+    STRENGTH_192_BIT = 0x02
+    STRENGTH_256_BIT = 0x03
+
+    STRENGTHS = [
+      STRENGTH_128_BIT,
+      STRENGTH_192_BIT,
+      STRENGTH_256_BIT
+    ].freeze
+
+    BITS = {
+      STRENGTH_128_BIT => 128,
+      STRENGTH_192_BIT => 192,
+      STRENGTH_256_BIT => 256
+    }.freeze
+
+    KEY_LENGTHS = {
+      STRENGTH_128_BIT => 16,
+      STRENGTH_192_BIT => 24,
+      STRENGTH_256_BIT => 32
+    }.freeze
+
+    SALT_LENGTHS = {
+      STRENGTH_128_BIT => 8,
+      STRENGTH_192_BIT => 12,
+      STRENGTH_256_BIT => 16
+    }.freeze
+
+    def initialize(password, strength)
+      @password = password
+      @strength = strength
+      @bits = BITS[@strength]
+      @key_length = KEY_LENGTHS[@strength]
+      @salt_length = SALT_LENGTHS[@strength]
+    end
+
+    def header_bytesize
+      @salt_length + VERIFIER_LENGTH
+    end
+
+    def gp_flags
+      0x0001
+    end
+  end
+
+  class AESDecrypter < Decrypter # :nodoc:
+    include AESEncryption
+
+    def decrypt(encrypted_data)
+      @hmac.update(encrypted_data)
+
+      idx = 0
+      decrypted_data = +''
+      amount_to_read = encrypted_data.size
+
+      while amount_to_read.positive?
+        @cipher.iv = [@counter + 1].pack('Vx12')
+        begin_index = BLOCK_SIZE * idx
+        end_index = begin_index + [BLOCK_SIZE, amount_to_read].min
+        decrypted_data << @cipher.update(encrypted_data[begin_index...end_index])
+        amount_to_read -= BLOCK_SIZE
+        @counter += 1
+        idx += 1
+      end
+
+      # JRuby requires finalization of the cipher. This is a bug, as noted in
+      # jruby/jruby-openssl#182 and jruby/jruby-openssl#183.
+      decrypted_data << @cipher.final if defined?(JRUBY_VERSION)
+      decrypted_data
+    end
+
+    def reset!(header)
+      raise Error, "Unsupported encryption AES-#{@bits}" unless STRENGTHS.include? @strength
+
+      salt = header[0...@salt_length]
+      pwd_verify = header[-VERIFIER_LENGTH..]
+      key_material = OpenSSL::KDF.pbkdf2_hmac(
+        @password,
+        salt:       salt,
+        iterations: 1000,
+        length:     (2 * @key_length) + VERIFIER_LENGTH,
+        hash:       'sha1'
+      )
+      enc_key = key_material[0...@key_length]
+      enc_hmac_key = key_material[@key_length...(2 * @key_length)]
+      enc_pwd_verify = key_material[-VERIFIER_LENGTH..]
+
+      raise Error, 'Bad password' if enc_pwd_verify != pwd_verify
+
+      @counter = 0
+      @cipher = OpenSSL::Cipher::AES.new(@bits, :CTR)
+      @cipher.decrypt
+      @cipher.key = enc_key
+      @hmac = OpenSSL::HMAC.new(enc_hmac_key, OpenSSL::Digest.new('SHA1'))
+    end
+
+    def check_integrity!(io)
+      auth_code = io.read(AUTHENTICATION_CODE_LENGTH)
+      raise Error, 'Integrity fault' if @hmac.digest[0...AUTHENTICATION_CODE_LENGTH] != auth_code
+    end
+  end
+end

data/lib/zip/crypto/decrypted_io.rb

@@ -1,40 +1,46 @@
+# frozen_string_literal: true
+
 module Zip
-  class DecryptedIo #:nodoc:all
+  class DecryptedIo # :nodoc:all
     CHUNK_SIZE = 32_768
 
-    def initialize(io, decrypter)
+    def initialize(io, decrypter, compressed_size)
       @io = io
       @decrypter = decrypter
+      @bytes_remaining = compressed_size
+      @buffer = +''
     end
 
     def read(length = nil, outbuf = +'')
-      return (length.nil? || length.zero? ? '' : nil) if eof
+      return (length.nil? || length.zero? ? '' : nil) if eof?
 
-      while length.nil? || (buffer.bytesize < length)
+      while length.nil? || (@buffer.bytesize < length)
         break if input_finished?
 
-        buffer << produce_input
+        @buffer << produce_input
       end
 
-      outbuf.replace(buffer.slice!(0...(length || output_buffer.bytesize)))
+      @decrypter.check_integrity!(@io) if input_finished?
+
+      outbuf.replace(@buffer.slice!(0...(length || @buffer.bytesize)))
     end
 
     private
 
-    def eof
-      buffer.empty? && input_finished?
-    end
-
-    def buffer
-      @buffer ||= +''
+    def eof?
+      @buffer.empty? && input_finished?
     end
 
     def input_finished?
-      @io.eof
+      !@bytes_remaining.positive?
     end
 
     def produce_input
-      @decrypter.decrypt(@io.read(CHUNK_SIZE))
+      chunk_size = [@bytes_remaining, CHUNK_SIZE].min
+      return '' unless chunk_size.positive?
+
+      @bytes_remaining -= chunk_size
+      @decrypter.decrypt(@io.read(chunk_size))
     end
   end
 end

data/lib/zip/crypto/encryption.rb

@@ -1,8 +1,10 @@
+# frozen_string_literal: true
+
 module Zip
-  class Encrypter #:nodoc:all
+  class Encrypter # :nodoc:all
   end
 
-  class Decrypter
+  class Decrypter # :nodoc:all
   end
 end