Hello. Le mer. 9 févr. 2022 à 02:59, <ggreg...@apache.org> a écrit : > > This is an automated email from the ASF dual-hosted git repository. > > ggregory pushed a commit to branch master > in repository https://gitbox.apache.org/repos/asf/commons-compress.git > > > The following commit(s) were added to refs/heads/master by this push: > new 666e787 Address CodeQL issues in pack200/unpack200 packages. > 666e787 is described below > > commit 666e787a17e4e7321b70e99e55acf27b6382ab17 > Author: Gary Gregory <garydgreg...@gmail.com> > AuthorDate: Tue Feb 8 20:59:31 2022 -0500 > > Address CodeQL issues in pack200/unpack200 packages. > > Throw ArithmeticExceptioninstead of silently overflowing. > --- > .../compress/archivers/cpio/CpioArchiveEntry.java | 3 +- > .../compress/harmony/pack200/BHSDCodec.java | 6 ++- > .../compress/harmony/pack200/FileBands.java | 3 +- > .../commons/compress/harmony/pack200/RunCodec.java | 8 ++-- > .../compress/harmony/unpack200/BandSet.java | 3 +- > .../apache/commons/compress/utils/ExactMath.java | 44 > ++++++++++++++++++++++ > 6 files changed, 59 insertions(+), 8 deletions(-) > > diff --git > a/src/main/java/org/apache/commons/compress/archivers/cpio/CpioArchiveEntry.java > > b/src/main/java/org/apache/commons/compress/archivers/cpio/CpioArchiveEntry.java > index 57c77f5..5e5e7ad 100644 > --- > a/src/main/java/org/apache/commons/compress/archivers/cpio/CpioArchiveEntry.java > +++ > b/src/main/java/org/apache/commons/compress/archivers/cpio/CpioArchiveEntry.java > @@ -30,6 +30,7 @@ import java.util.Objects; > import java.util.concurrent.TimeUnit; > > import org.apache.commons.compress.archivers.ArchiveEntry; > +import org.apache.commons.compress.utils.ExactMath;
Why is this class used rather than "Math.addExact"[1]? [If there is a reason, then the Javadoc of method "add(int,long)" should document the purpose and rationale of the odd signature (and its caveat that it can throw even for computations that would not overflow).] Regards, Gilles [1] https://docs.oracle.com/javase/8/docs/api/java/lang/Math.html#addExact-int-int- > > /** > * A cpio archive consists of a sequence of files. There are several types of > @@ -572,7 +573,7 @@ public class CpioArchiveEntry implements CpioConstants, > ArchiveEntry { > } > int size = this.headerSize + 1; // Name has terminating null > if (name != null) { > - size += nameSize; > + size = ExactMath.add(size, nameSize); > } > final int remain = size % this.alignmentBoundary; > if (remain > 0) { > diff --git > a/src/main/java/org/apache/commons/compress/harmony/pack200/BHSDCodec.java > b/src/main/java/org/apache/commons/compress/harmony/pack200/BHSDCodec.java > index 8bd7020..5117481 100644 > --- a/src/main/java/org/apache/commons/compress/harmony/pack200/BHSDCodec.java > +++ b/src/main/java/org/apache/commons/compress/harmony/pack200/BHSDCodec.java > @@ -22,6 +22,8 @@ import java.io.InputStream; > import java.util.ArrayList; > import java.util.List; > > +import org.apache.commons.compress.utils.ExactMath; > + > /** > * A BHSD codec is a means of encoding integer values as a sequence of bytes > or vice versa using a specified "BHSD" > * encoding mechanism. It uses a variable-length encoding and a modified > sign representation such that small numbers are > @@ -243,7 +245,7 @@ public final class BHSDCodec extends Codec { > band[i] -= cardinality; > } > while (band[i] < smallest) { > - band[i] += cardinality; > + band[i] = ExactMath.add(band[i], cardinality); > } > } > } > @@ -260,7 +262,7 @@ public final class BHSDCodec extends Codec { > band[i] -= cardinality; > } > while (band[i] < smallest) { > - band[i] += cardinality; > + band[i] = ExactMath.add(band[i], cardinality); > } > } > } > diff --git > a/src/main/java/org/apache/commons/compress/harmony/pack200/FileBands.java > b/src/main/java/org/apache/commons/compress/harmony/pack200/FileBands.java > index 746b900..a394978 100644 > --- a/src/main/java/org/apache/commons/compress/harmony/pack200/FileBands.java > +++ b/src/main/java/org/apache/commons/compress/harmony/pack200/FileBands.java > @@ -25,6 +25,7 @@ import java.util.TimeZone; > > import org.apache.commons.compress.harmony.pack200.Archive.PackingFile; > import org.apache.commons.compress.harmony.pack200.Archive.SegmentUnit; > +import org.apache.commons.compress.utils.ExactMath; > import org.objectweb.asm.ClassReader; > > /** > @@ -86,7 +87,7 @@ public class FileBands extends BandSet { > } > final byte[] bytes = packingFile.getContents(); > file_size[i] = bytes.length; > - totalSize += file_size[i]; > + totalSize = ExactMath.add(totalSize, file_size[i]); > > // update modification time > modtime = (packingFile.getModtime() + > TimeZone.getDefault().getRawOffset()) / 1000L; > diff --git > a/src/main/java/org/apache/commons/compress/harmony/pack200/RunCodec.java > b/src/main/java/org/apache/commons/compress/harmony/pack200/RunCodec.java > index 41a07c3..f14b822 100644 > --- a/src/main/java/org/apache/commons/compress/harmony/pack200/RunCodec.java > +++ b/src/main/java/org/apache/commons/compress/harmony/pack200/RunCodec.java > @@ -20,6 +20,8 @@ import java.io.IOException; > import java.io.InputStream; > import java.util.Arrays; > > +import org.apache.commons.compress.utils.ExactMath; > + > /** > * A run codec is a grouping of two nested codecs; K values are decoded from > the first codec, and the remaining codes > * are decoded from the remaining codec. Note that since this codec > maintains state, the instances are not reusable. > @@ -68,7 +70,7 @@ public class RunCodec extends Codec { > value -= cardinality; > } > while (value < bhsd.smallest()) { > - value += cardinality; > + value = ExactMath.add(value, cardinality); > } > } > } > @@ -98,7 +100,7 @@ public class RunCodec extends Codec { > band[i] -= cardinality; > } > while (band[i] < bhsd.smallest()) { > - band[i] += cardinality; > + band[i] = ExactMath.add(band[i], cardinality); > } > } > } > @@ -117,7 +119,7 @@ public class RunCodec extends Codec { > band[i] -= cardinality; > } > while (band[i] < bhsd.smallest()) { > - band[i] += cardinality; > + band[i] = ExactMath.add(band[i], cardinality); > } > } > } > diff --git > a/src/main/java/org/apache/commons/compress/harmony/unpack200/BandSet.java > b/src/main/java/org/apache/commons/compress/harmony/unpack200/BandSet.java > index 5818623..55c26c0 100644 > --- a/src/main/java/org/apache/commons/compress/harmony/unpack200/BandSet.java > +++ b/src/main/java/org/apache/commons/compress/harmony/unpack200/BandSet.java > @@ -36,6 +36,7 @@ import > org.apache.commons.compress.harmony.unpack200.bytecode.CPMethodRef; > import org.apache.commons.compress.harmony.unpack200.bytecode.CPNameAndType; > import org.apache.commons.compress.harmony.unpack200.bytecode.CPString; > import org.apache.commons.compress.harmony.unpack200.bytecode.CPUTF8; > +import org.apache.commons.compress.utils.ExactMath; > > /** > * Abstract superclass for a set of bands > @@ -118,7 +119,7 @@ public abstract class BandSet { > band[i] -= cardinality; > } > while (band[i] < bhsd.smallest()) { > - band[i] += cardinality; > + band[i] = ExactMath.add(band[i], cardinality); > } > } > } > diff --git a/src/main/java/org/apache/commons/compress/utils/ExactMath.java > b/src/main/java/org/apache/commons/compress/utils/ExactMath.java > new file mode 100644 > index 0000000..860aa0d > --- /dev/null > +++ b/src/main/java/org/apache/commons/compress/utils/ExactMath.java > @@ -0,0 +1,44 @@ > +/* > + * Licensed to the Apache Software Foundation (ASF) under one > + * or more contributor license agreements. See the NOTICE file > + * distributed with this work for additional information > + * regarding copyright ownership. The ASF licenses this file > + * to you under the Apache License, Version 2.0 (the > + * "License"); you may not use this file except in compliance > + * with the License. You may obtain a copy of the License at > + * > + * http://www.apache.org/licenses/LICENSE-2.0 > + * > + * Unless required by applicable law or agreed to in writing, > + * software distributed under the License is distributed on an > + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY > + * KIND, either express or implied. See the License for the > + * specific language governing permissions and limitations > + * under the License. > + */ > + > +package org.apache.commons.compress.utils; > + > +/** > + * PRIVATE. > + * > + * Performs exact math through {@link Math} "exact" APIs. > + */ > +public class ExactMath { > + > + private ExactMath() { > + // no instances > + } > + > + /** > + * Adds two values and throws an exception on overflow. > + * > + * @param intValue the first value. > + * @param longValue the second value. > + * @return addition of both values. > + * @throws ArithmeticException when there is an overflow. > + */ > + public static int add(final int intValue, final long longValue) { > + return Math.addExact(intValue, Math.toIntExact(longValue)); > + } > +} --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
