diff --git a/WHATSNEW b/WHATSNEW
index b4c78519e..990a6bd03 100644
--- a/WHATSNEW
+++ b/WHATSNEW
@@ -78,6 +78,10 @@ Fixed bugs:
    that was invoked by multiple targets from the command line.
    Bugzilla Report 50894.
 
+ * The ZipFile class could read past the start of the file if the
+   given file is not a ZIP archive and it is smaller than the size of
+   a ZIP "end of central directory record".
+
 Other changes:
 --------------
 
diff --git a/src/main/org/apache/tools/zip/ZipFile.java b/src/main/org/apache/tools/zip/ZipFile.java
index 074792018..b2309d136 100644
--- a/src/main/org/apache/tools/zip/ZipFile.java
+++ b/src/main/org/apache/tools/zip/ZipFile.java
@@ -451,12 +451,16 @@ public class ZipFile {
         throws IOException {
         boolean found = false;
         long off = archive.length() - MIN_EOCD_SIZE;
-        long stopSearching = Math.max(0L, archive.length() - MAX_EOCD_SIZE);
+        final long stopSearching =
+            Math.max(0L, archive.length() - MAX_EOCD_SIZE);
         if (off >= 0) {
-            archive.seek(off);
-            byte[] sig = ZipOutputStream.EOCD_SIG;
-            int curr = archive.read();
-            while (off >= stopSearching && curr != -1) {
+            final byte[] sig = ZipOutputStream.EOCD_SIG;
+            for (; off >= stopSearching; off--) {
+                archive.seek(off);
+                int curr = archive.read();
+                if (curr == -1) {
+                    break;
+                }
                 if (curr == sig[POS_0]) {
                     curr = archive.read();
                     if (curr == sig[POS_1]) {
@@ -470,8 +474,6 @@ public class ZipFile {
                         }
                     }
                 }
-                archive.seek(--off);
-                curr = archive.read();
             }
         }
         if (!found) {