All,
Thank you Santiago for the report and David for the diagnosis. Though this is
not a valid zip file, there are in fact no overlapping structures and so there
should not be a bomb alert.
I have added a commit that initializes the cover with the actual spans of the
central directory, the
invalid is also unfortunate and
inefficient, since compression is kinda the point of the zip format.
Mark
> On Jul 12, 2019, at 8:23 PM, Adler, Mark wrote:
>
> Ben,
>
> Ah, no, I did not test the jar files. I just did, and indeed I am seeing the
> reported zip bomb detec
Ben,
Ah, no, I did not test the jar files. I just did, and indeed I am seeing the
reported zip bomb detections.
Thanks. I’ll look into it.
Mark
> On Jul 12, 2019, at 3:22 PM, Ben Caradoc-Davies wrote:
>
> On 13/07/2019 04:32, Adler, Mark wrote:
>> I downloaded the four fal
On Jul 12, 2019, at 9:43 AM, Santiago Vila wrote:
> I applied the commits I believed to be the fix for the zipbomb issue, i.e.
> these two:
>
> commit 41beb477c5744bc396fa1162ee0c14218ec12213
> Fix bug in undefer_input() that misplaced the input state.
> commit
Santiago,
Thank you for the report.
I downloaded the four false-positive zip files from the bugreport page, and
none of them showed a zip bomb error (or any other error).
How exactly did you apply the fix? Did you download the complete source from
github? Or did you try to selectively apply a
5 matches
Mail list logo