This is an automated email from the ASF dual-hosted git repository.
peterlee pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-compress.git
The following commit(s) were added to refs/heads/master by this push:
new 08d754c COMPRESS-548 : throw exception if length of zip extra field
is too short
08d754c is described below
commit 08d754cce4bb9a3bc30467e965ab86c64473e032
Author: PeterAlfredLee <peteralfred...@gmail.com>
AuthorDate: Mon Aug 24 16:58:01 2020 +0800
COMPRESS-548 : throw exception if length of zip extra field is too short
---
src/changes/changes.xml | 5 +++++
.../commons/compress/archivers/zip/AsiExtraField.java | 4 ++++
.../compress/archivers/zip/ZipArchiveInputStreamTest.java | 9 +++++++++
src/test/resources/COMPRESS-548.zip | Bin 0 -> 79 bytes
4 files changed, 18 insertions(+)
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index b217d77..3a3731d 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -212,6 +212,11 @@ The <action> type attribute can be add,update,fix,remove.
Add a new maven profile in pom.xml for JDK14+ to ignore the
failing tests about Pack200.
</action>
+ <action issue="COMPRESS-548" type="fix" date="2020-08-24"
+ due-to="Maksim Zuev" dev="PeterLee">
+ Throw an exception when reading the zip extra field if the
+ length is too short.
+ </action>
</release>
<release version="1.20" date="2020-02-08"
description="Release 1.20 (Java 7)">
diff --git
a/src/main/java/org/apache/commons/compress/archivers/zip/AsiExtraField.java
b/src/main/java/org/apache/commons/compress/archivers/zip/AsiExtraField.java
index d2ed167..1909a2f 100644
--- a/src/main/java/org/apache/commons/compress/archivers/zip/AsiExtraField.java
+++ b/src/main/java/org/apache/commons/compress/archivers/zip/AsiExtraField.java
@@ -266,6 +266,10 @@ public class AsiExtraField implements ZipExtraField,
UnixStat, Cloneable {
@Override
public void parseFromLocalFileData(final byte[] data, final int offset,
final int length)
throws ZipException {
+ if (length < WORD) {
+ throw new ZipException("The length is too short, only "
+ + length + " bytes, expected at least " + WORD);
+ }
final long givenChecksum = ZipLong.getValue(data, offset);
final byte[] tmp = new byte[length - WORD];
diff --git
a/src/test/java/org/apache/commons/compress/archivers/zip/ZipArchiveInputStreamTest.java
b/src/test/java/org/apache/commons/compress/archivers/zip/ZipArchiveInputStreamTest.java
index 23b695a..9175476 100644
---
a/src/test/java/org/apache/commons/compress/archivers/zip/ZipArchiveInputStreamTest.java
+++
b/src/test/java/org/apache/commons/compress/archivers/zip/ZipArchiveInputStreamTest.java
@@ -719,6 +719,15 @@ public class ZipArchiveInputStreamTest {
}
}
+ @Test
+ public void testZipWithBadExtraFields() throws IOException {
+ try (InputStream fis = new
FileInputStream(getFile("COMPRESS-548.zip"));
+ ZipArchiveInputStream zipInputStream = new
ZipArchiveInputStream(fis);) {
+ while (zipInputStream.getNextZipEntry() != null) {
+ }
+ }
+ }
+
private static byte[] readEntry(final ZipArchiveInputStream zip, final
ZipArchiveEntry zae) throws IOException {
final int len = (int)zae.getSize();
final byte[] buff = new byte[len];
diff --git a/src/test/resources/COMPRESS-548.zip
b/src/test/resources/COMPRESS-548.zip
new file mode 100644
index 0000000..2795cd2
Binary files /dev/null and b/src/test/resources/COMPRESS-548.zip differ
