Hi gzip maintainers,

An out-of-bounds / uninitialised read occurs in unzip.c:check_zipfile()
when the PKZIP local header is shorter than 30 bytes (CWE-457, CWE-125).

Reproduction (on 1.14, Linux x86-64, gcc 13.3):

    printf '%s' \
      504B0304 1400 0000 0000 0000 0000 00000000 \
      01000000 01000000           | xxd -r -p > poc.zip

    valgrind --track-origins=yes ./gzip -tv poc.zip
    # conditional jump depends on uninitialised value(s) in check_zipfile()

Minimal fix:

--- a/unzip.c
+++ b/unzip.c
@@
     uch *h = inbuf + inptr;
+    if (insize - inptr < LOCHDR)          /* need full header */
+        goto bad_zip;
     inptr += LOCHDR + SH(h + LOCFIL) + SH(h + LOCEXT);

Best regards,
Mohamed Maatallah