From f380185d22e71f5a21caafe4641105bf74ef86b0 Mon Sep 17 00:00:00 2001
From: "Node.js GitHub Bot" <github-bot@iojs.org>
Date: Sun, 28 Jun 2026 01:18:13 +0000
Subject: [PATCH] deps: update zlib to 1.3.2.1-motley-8b3aa8a

---
 deps/zlib/contrib/minizip/unzip.c             |   2 ++
 deps/zlib/contrib/tests/utils_unittest.cc     |  23 ++++++++++++++
 .../google/test/data/enc_flag_mismatch.zip    | Bin 0 -> 182 bytes
 deps/zlib/google/test_data.filelist           |   1 +
 deps/zlib/google/zip_reader_unittest.cc       |  18 +++++++++++
 ...0015-minizip-unzip-enable-decryption.patch |  28 ++++++++++++++++++
 src/zlib_version.h                            |   2 +-
 7 files changed, 73 insertions(+), 1 deletion(-)
 create mode 100644 deps/zlib/google/test/data/enc_flag_mismatch.zip

diff --git a/deps/zlib/contrib/minizip/unzip.c b/deps/zlib/contrib/minizip/unzip.c
index 0264f7ac570f7d..4eb0de302cfdf8 100644
--- a/deps/zlib/contrib/minizip/unzip.c
+++ b/deps/zlib/contrib/minizip/unzip.c
@@ -1439,6 +1439,8 @@ local int unz64local_CheckCurrentFileCoherencyHeader(unz64_s* s, uInt* piSizeVar
 */
     if (unz64local_getShort(&s->z_filefunc, s->filestream,&uFlags) != UNZ_OK)
         err=UNZ_ERRNO;
+    else if ((err==UNZ_OK) && ((uFlags & 1) != (s->cur_file_info.flag & 1)))
+        err=UNZ_BADZIPFILE; /* LFH/CD encryption flag mismatch */
 
     if (unz64local_getShort(&s->z_filefunc, s->filestream,&uData) != UNZ_OK)
         err=UNZ_ERRNO;
diff --git a/deps/zlib/contrib/tests/utils_unittest.cc b/deps/zlib/contrib/tests/utils_unittest.cc
index f8cd93c705583b..6161e39f0262a0 100644
--- a/deps/zlib/contrib/tests/utils_unittest.cc
+++ b/deps/zlib/contrib/tests/utils_unittest.cc
@@ -1424,6 +1424,29 @@ TEST(ZlibTest, ZipUnicodePathExtra) {
   EXPECT_EQ(unzClose(uzf), UNZ_OK);
 }
 
+TEST(ZlibTest, ZipEncryptionFlagMismatch) {
+  // Test archive created with info-zip:
+  // $ echo -n a > a && zip -P a -k a.zip a
+  // and then hex-edited to drop the encrypted flag from the central directory.
+  base::FilePath zip_file = TestDataDir().AppendASCII("enc_flag_mismatch.zip");
+
+  unzFile uzf = unzOpen(zip_file.AsUTF8Unsafe().c_str());
+  ASSERT_NE(uzf, nullptr);
+
+  char name[100];
+  unz_file_info file_info;
+
+  ASSERT_EQ(unzGoToFirstFile(uzf), UNZ_OK);
+  ASSERT_EQ(unzGetCurrentFileInfo(uzf, &file_info, name, sizeof(name),
+                                  nullptr, 0, nullptr, 0), UNZ_OK);
+  ASSERT_EQ(std::string(name), "A");
+
+  // minizip should reject the member due to lfh/cd encrypted flag mismatch.
+  EXPECT_EQ(unzOpenCurrentFilePassword(uzf, "a"), UNZ_BADZIPFILE);
+
+  EXPECT_EQ(unzClose(uzf), UNZ_OK);
+}
+
 TEST(ZlibTest, Crbug500521311) {
   base::FilePath zip_file = TestDataDir().AppendASCII("bug500521311.zip");
   unzFile uzf = unzOpen(zip_file.AsUTF8Unsafe().c_str());
diff --git a/deps/zlib/google/test/data/enc_flag_mismatch.zip b/deps/zlib/google/test/data/enc_flag_mismatch.zip
new file mode 100644
index 0000000000000000000000000000000000000000..bb140077bd7f6cb2b8a554221fd4a2c460e72daa
GIT binary patch
literal 182
zcmWIWW@h1H;ACK6co=a$#(CfN7ra0=BN)ptIEIFBGB9sDpq~Z8r4`%^j4ZPjGcvFQ
z$1^fqPSa><y0l#JRn`9wxdGnn9LTx@ycwB97`PZXu$n9Z6ouFVW`OKrh1i2;M}Rjg
Q8$>B1gFBEB0anii0RMO<H~;_u

literal 0
HcmV?d00001

diff --git a/deps/zlib/google/test_data.filelist b/deps/zlib/google/test_data.filelist
index 73ed6c3c93173e..9761df11479781 100644
--- a/deps/zlib/google/test_data.filelist
+++ b/deps/zlib/google/test_data.filelist
@@ -19,6 +19,7 @@ test/data/bug500521311.zip
 test/data/create_symlink_test_zips.py
 test/data/create_test_zip.sh
 test/data/empty.zip
+test/data/enc_flag_mismatch.zip
 test/data/evil.zip
 test/data/evil_via_absolute_file_name.zip
 test/data/evil_via_invalid_utf8.zip
diff --git a/deps/zlib/google/zip_reader_unittest.cc b/deps/zlib/google/zip_reader_unittest.cc
index 7a9f24b434ec20..3de65688b7e18e 100644
--- a/deps/zlib/google/zip_reader_unittest.cc
+++ b/deps/zlib/google/zip_reader_unittest.cc
@@ -558,6 +558,24 @@ TEST_F(ZipReaderTest, EncryptedFile_RightPassword) {
   EXPECT_TRUE(reader.ok());
 }
 
+// An entry whose local file header has the "encrypted" general-purpose flag
+// bit set while the central directory does not should be rejected.
+TEST_F(ZipReaderTest, MismatchedEncryptionFlag) {
+  ZipReader reader;
+  ASSERT_TRUE(reader.Open(data_dir_.AppendASCII("enc_flag_mismatch.zip")));
+
+  const ZipReader::Entry* entry = reader.Next();
+  ASSERT_TRUE(entry);
+  EXPECT_EQ(base::FilePath::FromASCII("A"), entry->path);
+  EXPECT_FALSE(entry->is_directory);
+  std::string contents = "dummy";
+  EXPECT_FALSE(reader.ExtractCurrentEntryToString(&contents));
+  EXPECT_EQ("", contents);
+
+  EXPECT_FALSE(reader.Next());
+  EXPECT_TRUE(reader.ok());
+}
+
 // Verifies that the ZipReader class can extract a file from a zip archive
 // stored in memory. This test opens a zip archive in a std::string object,
 // extracts its content, and verifies the content is the same as the expected
diff --git a/deps/zlib/patches/0015-minizip-unzip-enable-decryption.patch b/deps/zlib/patches/0015-minizip-unzip-enable-decryption.patch
index feeeb1c400777d..dcc7499f3535e9 100644
--- a/deps/zlib/patches/0015-minizip-unzip-enable-decryption.patch
+++ b/deps/zlib/patches/0015-minizip-unzip-enable-decryption.patch
@@ -26,3 +26,31 @@ index 82275d6c1775d..c8a01b23efd42 100644
          s->encrypted=1;
      }
  #    endif
+
+commit 874ed6b46a4f75407829e510db77cc673a4c86e7
+Author: Hans Wennborg <hans@chromium.org>
+Date:   Mon Jun 15 11:33:46 2026 +0200
+
+    Check LFH / CD encryption flag consistency
+
+    unz64local_CheckCurrentFileCoherencyHeader performs various consistency
+    checks on the values in the Local File Header and Central Directory.
+    Make it check the encryption flag as well.
+
+    Bug: 514461031
+    Change-Id: Ifaf8620c6e0c345118712bce6e1206bbb83b3a2d
+    Reviewed-on: https://chromium-review.googlesource.com/7942389
+
+diff --git a/third_party/zlib/contrib/minizip/unzip.c b/third_party/zlib/contrib/minizip/unzip.c
+index 0264f7ac570f7..4eb0de302cfdf 100644
+--- a/third_party/zlib/contrib/minizip/unzip.c
++++ b/third_party/zlib/contrib/minizip/unzip.c
+@@ -1439,6 +1439,8 @@ local int unz64local_CheckCurrentFileCoherencyHeader(unz64_s* s, uInt* piSizeVar
+ */
+     if (unz64local_getShort(&s->z_filefunc, s->filestream,&uFlags) != UNZ_OK)
+         err=UNZ_ERRNO;
++    else if ((err==UNZ_OK) && ((uFlags & 1) != (s->cur_file_info.flag & 1)))
++        err=UNZ_BADZIPFILE; /* LFH/CD encryption flag mismatch */
+ 
+     if (unz64local_getShort(&s->z_filefunc, s->filestream,&uData) != UNZ_OK)
+         err=UNZ_ERRNO;
diff --git a/src/zlib_version.h b/src/zlib_version.h
index e06e2526f3bdb2..a258bd21a55dc8 100644
--- a/src/zlib_version.h
+++ b/src/zlib_version.h
@@ -2,5 +2,5 @@
 // Refer to tools/dep_updaters/update-zlib.sh
 #ifndef SRC_ZLIB_VERSION_H_
 #define SRC_ZLIB_VERSION_H_
-#define ZLIB_VERSION "1.3.2.1-motley-3246f1b"
+#define ZLIB_VERSION "1.3.2.1-motley-8b3aa8a"
 #endif  // SRC_ZLIB_VERSION_H_