This is an automated email from the ASF dual-hosted git repository. ggregory pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/commons-compress.git
commit f3078cb05d0e189cb5ef1d38f4aed135cc5af215 Author: Gary Gregory <[email protected]> AuthorDate: Thu Jan 2 12:42:45 2025 -0500 CpioArchiveInputStream.readOldBinaryEntry(boolean) now throws an IOException on a header pad count mismatch --- src/changes/changes.xml | 1 + .../commons/compress/archivers/cpio/CpioArchiveInputStream.java | 7 ++++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/src/changes/changes.xml b/src/changes/changes.xml index c07e0a41d..c2ec945c9 100644 --- a/src/changes/changes.xml +++ b/src/changes/changes.xml @@ -61,6 +61,7 @@ The <action> type attribute can be add,update,fix,remove. <action type="fix" dev="ggregory" due-to="Gary Gregory">Don't use deprecated code in TarFile.</action> <action type="fix" dev="ggregory" due-to="Gary Gregory">CpioArchiveInputStream.read(byte[], int, int) now throws an IOException on a data pad count mismatch.</action> <action type="fix" dev="ggregory" due-to="Gary Gregory">CpioArchiveInputStream.readNewEntry(boolean) now throws an IOException on a header pad count mismatch.</action> + <action type="fix" dev="ggregory" due-to="Gary Gregory">CpioArchiveInputStream.readOldBinaryEntry(boolean) now throws an IOException on a header pad count mismatch.</action> <!-- ADD --> <action type="add" dev="ggregory" due-to="Gary Gregory">Add GzipParameters.getModificationInstant().</action> <action type="add" dev="ggregory" due-to="Gary Gregory">Add GzipParameters.setModificationInstant(Instant).</action> diff --git a/src/main/java/org/apache/commons/compress/archivers/cpio/CpioArchiveInputStream.java b/src/main/java/org/apache/commons/compress/archivers/cpio/CpioArchiveInputStream.java index ff0d082fa..09199fd5e 100644 --- a/src/main/java/org/apache/commons/compress/archivers/cpio/CpioArchiveInputStream.java +++ b/src/main/java/org/apache/commons/compress/archivers/cpio/CpioArchiveInputStream.java @@ -457,7 +457,6 @@ public class CpioArchiveInputStream extends ArchiveInputStream<CpioArchiveEntry> private CpioArchiveEntry readOldBinaryEntry(final boolean swapHalfWord) throws IOException { final CpioArchiveEntry oldEntry = new CpioArchiveEntry(FORMAT_OLD_BINARY); - oldEntry.setDevice(readBinaryLong(2, swapHalfWord)); oldEntry.setInode(readBinaryLong(2, swapHalfWord)); final long mode = readBinaryLong(2, swapHalfWord); @@ -482,8 +481,10 @@ public class CpioArchiveInputStream extends ArchiveInputStream<CpioArchiveEntry> if (CpioUtil.fileType(mode) == 0 && !name.equals(CPIO_TRAILER)) { throw new IOException("Mode 0 only allowed in the trailer. Found entry: " + ArchiveUtils.sanitize(name) + "Occurred at byte: " + getBytesRead()); } - skip(oldEntry.getHeaderPadCount(namesize - 1)); - + final int headerPadCount = oldEntry.getHeaderPadCount(namesize - 1); + if (skip(headerPadCount) != headerPadCount) { + throw new IOException("Header pad count mismatch."); + } return oldEntry; }
