From c5d62c58f9d6f74cba550d9186609a4ccab602c1 Mon Sep 17 00:00:00 2001
From: Sean Arms <67096+lesserwhirls@users.noreply.github.com>
Date: Tue, 10 Feb 2026 14:10:03 -0700
Subject: [PATCH] Fix integer overflow for inflate

When decompressing a zlib compressed chunk, prevent an integer overflow
when calculating the size of the ByteArrayOutputStream. Fixes
Unidata/netcdf-java#1523
---
 cdm/core/src/main/java/ucar/nc2/filter/Deflate.java            | 3 ++-
 cdm/core/src/main/java/ucar/nc2/iosp/hdf5/H5tiledLayoutBB.java | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/cdm/core/src/main/java/ucar/nc2/filter/Deflate.java b/cdm/core/src/main/java/ucar/nc2/filter/Deflate.java
index 47280a3c27..99d4b2ecbd 100644
--- a/cdm/core/src/main/java/ucar/nc2/filter/Deflate.java
+++ b/cdm/core/src/main/java/ucar/nc2/filter/Deflate.java
@@ -69,7 +69,8 @@ public byte[] encode(byte[] dataIn) throws IOException {
 
   @Override
   public byte[] decode(byte[] dataIn) throws IOException {
-    int len = Math.min(8 * dataIn.length, MAX_ARRAY_LEN);
+    long approxLen = (long) 8 * dataIn.length;
+    int len = approxLen > MAX_ARRAY_LEN ? MAX_ARRAY_LEN : (int) approxLen;
     try (ByteArrayInputStream in = new ByteArrayInputStream(dataIn);
         InflaterInputStream iis = new InflaterInputStream(in, new Inflater(), dataIn.length);
         ByteArrayOutputStream os = new ByteArrayOutputStream(len)) {
diff --git a/cdm/core/src/main/java/ucar/nc2/iosp/hdf5/H5tiledLayoutBB.java b/cdm/core/src/main/java/ucar/nc2/iosp/hdf5/H5tiledLayoutBB.java
index 302cbc2eb8..db8a779bd1 100644
--- a/cdm/core/src/main/java/ucar/nc2/iosp/hdf5/H5tiledLayoutBB.java
+++ b/cdm/core/src/main/java/ucar/nc2/iosp/hdf5/H5tiledLayoutBB.java
@@ -252,7 +252,8 @@ private byte[] inflate(byte[] compressed) throws IOException {
 
         java.util.zip.InflaterInputStream inflatestream =
             new java.util.zip.InflaterInputStream(in, inflater, inflatebuffersize);
-        int len = Math.min(8 * compressed.length, MAX_ARRAY_LEN);
+        long approxLen = (long) 8 * compressed.length;
+        int len = approxLen > MAX_ARRAY_LEN ? MAX_ARRAY_LEN : (int) approxLen;
         ByteArrayOutputStream out = new ByteArrayOutputStream(len); // Fixes KXL-349288
         IO.copyB(inflatestream, out, len);