Check out CVE-2017-13156 which is a real exploit that leveraged differences in zip parsing to bypass a signature scheme.