This is an automated email from the ASF dual-hosted git repository.
ggregory pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-compress.git
The following commit(s) were added to refs/heads/master by this push:
new 4c9659c4e [COMPRESS-647] Throw IOException instead of
ArrayIndexOutOfBoundsException when reading Zip with data descriptor entries.
4c9659c4e is described below
commit 4c9659c4ea66839e9219b3368b95af49dd032ba9
Author: Gary Gregory <[email protected]>
AuthorDate: Fri Nov 10 16:06:11 2023 -0500
[COMPRESS-647] Throw IOException instead of
ArrayIndexOutOfBoundsException when reading Zip with data descriptor
entries.
---
src/changes/changes.xml | 1 +
.../archivers/zip/ZipArchiveInputStream.java | 4 ++++
.../archivers/zip/ZipArchiveInputStreamTest.java | 19 +++++++++++++++++++
src/test/resources/COMPRESS-647/test.zip | Bin 0 -> 107 bytes
4 files changed, 24 insertions(+)
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index ceabe3e6d..9359f8210 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -88,6 +88,7 @@ The <action> type attribute can be add,update,fix,remove.
<action type="fix" dev="ggregory" due-to="Gary Gregory">Calling
PackingUtils.config(PackingOptions) with null now closes the internal
FileHandler.</action>
<action type="fix" issue="COMPRESS-650" dev="ggregory" due-to="Chad
Preisler">LZ4 compressor throws IndexOutOfBoundsException.</action>
<action type="fix" issue="COMPRESS-632" dev="ggregory" due-to="Yakov
Shafranovich, Gary Gregory">LZWInputStream.initializeTables(int) should throw
IllegalArgumentException instead of ArrayIndexOutOfBoundsException.</action>
+ <action type="fix" issue="COMPRESS-647" dev="ggregory" due-to="Robin
Schimpf, Gary Gregory">Throw IOException instead of
ArrayIndexOutOfBoundsException when reading Zip with data descriptor
entries.</action>
<!-- UPDATE -->
<action type="update" dev="ggregory" due-to="Dependabot">Bump
org.slf4j:slf4j-api from 2.0.8 to 2.0.9 #413.</action>
<action type="update" dev="ggregory" due-to="Gary Gregory">Bump
commons-io:commons-io from 2.13.0 to 2.15.0.</action>
diff --git
a/src/main/java/org/apache/commons/compress/archivers/zip/ZipArchiveInputStream.java
b/src/main/java/org/apache/commons/compress/archivers/zip/ZipArchiveInputStream.java
index dafa78b72..7b750ad07 100644
---
a/src/main/java/org/apache/commons/compress/archivers/zip/ZipArchiveInputStream.java
+++
b/src/main/java/org/apache/commons/compress/archivers/zip/ZipArchiveInputStream.java
@@ -984,6 +984,10 @@ public class ZipArchiveInputStream extends
ArchiveInputStream<ZipArchiveEntry> i
}
private void pushback(final byte[] buf, final int offset, final int
length) throws IOException {
+ if (offset < 0) {
+ // Instead of ArrayIndexOutOfBoundsException
+ throw new IOException(String.format("Negative offset %,d into
buffer", offset));
+ }
((PushbackInputStream) inputStream).unread(buf, offset, length);
pushedBackBytes(length);
}
diff --git
a/src/test/java/org/apache/commons/compress/archivers/zip/ZipArchiveInputStreamTest.java
b/src/test/java/org/apache/commons/compress/archivers/zip/ZipArchiveInputStreamTest.java
index 0189a666a..b172724a5 100644
---
a/src/test/java/org/apache/commons/compress/archivers/zip/ZipArchiveInputStreamTest.java
+++
b/src/test/java/org/apache/commons/compress/archivers/zip/ZipArchiveInputStreamTest.java
@@ -24,6 +24,7 @@ import static org.junit.jupiter.api.Assertions.assertNotNull;
import static org.junit.jupiter.api.Assertions.assertNull;
import static org.junit.jupiter.api.Assertions.assertThrows;
import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assertions.fail;
import java.io.BufferedInputStream;
import java.io.ByteArrayInputStream;
@@ -35,6 +36,7 @@ import java.io.InputStream;
import java.nio.channels.Channels;
import java.nio.channels.SeekableByteChannel;
import java.nio.file.Files;
+import java.nio.file.Paths;
import java.time.Instant;
import java.util.Arrays;
import java.util.zip.ZipEntry;
@@ -47,6 +49,8 @@ import
org.apache.commons.compress.archivers.ArchiveStreamFactory;
import org.apache.commons.compress.utils.ByteUtils;
import org.apache.commons.compress.utils.IOUtils;
import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
public class ZipArchiveInputStreamTest extends AbstractTest {
@@ -709,4 +713,19 @@ public class ZipArchiveInputStreamTest extends
AbstractTest {
getAllZipEntries(zipInputStream);
}
}
+
+ @ParameterizedTest
+ @ValueSource(booleans = { true, false })
+ public void zipInputStream(final boolean
allowStoredEntriesWithDataDescriptor) {
+ try (ZipArchiveInputStream zIn = new ZipArchiveInputStream(
+
Files.newInputStream(Paths.get("src/test/resources/COMPRESS-647/test.zip")),
"UTF-8", false,
+ allowStoredEntriesWithDataDescriptor)) {
+ ZipArchiveEntry zae = zIn.getNextEntry();
+ while (zae != null) {
+ zae = zIn.getNextEntry();
+ }
+ } catch (IOException e) {
+ // Ignore expected exception
+ }
+ }
}
diff --git a/src/test/resources/COMPRESS-647/test.zip
b/src/test/resources/COMPRESS-647/test.zip
new file mode 100644
index 000000000..af688fd12
Binary files /dev/null and b/src/test/resources/COMPRESS-647/test.zip differ
