[jira] [Commented] (COMPRESS-605) Failed to parse Non-zip64 signed apk with data descriptor

Sun, 20 Mar 2022 23:59:06 -0700 


    [ 
https://issues.apache.org/jira/browse/COMPRESS-605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17509644#comment-17509644
 ] 

nick allen commented on COMPRESS-605:
-------------------------------------

[~ggregory] I tried to fix it, but it turns out to be extremely hard because 
apk signing block has a variable size and it only have a signautre at the end. 
So if I want to fix this issue perfectly I need to buffer the whole apk signing 
block section and call isApkSigningBlock each time we call readDataDescriptor 
and push back if following is not apk signing block. 

 

The root cause of this issue is while readDataDescriptor, we saw whether 8~16 
bytes is some kind of signature to decide whether data descriptor's length is 
eight bytes (see the comment of ZipArchiveInputStream#readDataDescriptor for 
more details), unfortunately apk signing block doesn't have any signature in 
the begining. So the last entry of apk will always assumed to have a data 
descriptor that having 8 byte length.

 

My client promise me that with 8-byte-length data descriptor there will al;ways 
a zip64 header, so I just change `potentialSig.equals(ZipLong.CFH_SIG) || 
potentialSig.equals(ZipLong.LFH_SIG)` to `!current.usesZip64` to get around of 
this issue.

> Failed to parse Non-zip64 signed apk with data descriptor
> ---------------------------------------------------------
>
>                 Key: COMPRESS-605
>                 URL: https://issues.apache.org/jira/browse/COMPRESS-605
>             Project: Commons Compress
>          Issue Type: Bug
>          Components: Archivers
>    Affects Versions: 1.21
>            Reporter: nick allen
>            Priority: Major
>
> I can't upload my apk due to security policy of my company, but I do find 
> where the problem lies.
> In 
> org.apache.commons.compress.archivers.zip.ZipArchiveInputStream#readDataDescriptor
>  we check whether following bytes are signaures to determine whethere size is 
> 8 bytes or 4 bytes. Because what following is apk signing block so it will 
> always thought "size" takes 8 bytes.
> So (4 + 4 = 8) extra bytes were read. Which leading to 
> org.apache.commons.compress.archivers.zip.ZipArchiveInputStream#isApkSigningBlock
>  also return false.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to