yakovsh opened a new pull request, #435: URL: https://github.com/apache/commons-compress/pull/435
Adds a validation check and unit text for possible invalid values of maxCodeSize when parsing Z files. This was discovered as part of the fuzzing expansion covered in COMPRESS-632. This addresses the fact the that maxCodeSize value that is used to initialize the decompression is based on raw byte read by ZCompressorInputStream without validation (unlike the UnshrinkingInputStream in ZIP where is it simply set to a default value). The validation adds three checks: - Detect values less or equal to zero, otherwise initializeTables() in LZWInputStream will throw an IllegalArgumentException (lines 198-201) - Detect that (1 << maxCodeSize) is less than 256, otherwise the loop in initializeTables() in LZWInputStream will throw array exceptions (lines 181-184) - Detect that maxCodeSize is larger than codeSize, otherwise uncaught exceptions will be thrown when the stream is parsed. Specifically, addEntry() in LZWInputStream, lines 79-80. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
