[
https://issues.apache.org/jira/browse/COMPRESS-688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17896618#comment-17896618
]
Zaki edited comment on COMPRESS-688 at 11/8/24 9:48 AM:
--------------------------------------------------------
[~ggregory]
In regards to a unit case showcasing the issue, *readFilesInfo* method is
private and only reachable by calling a public constructor so I started out
with writing the following test
{code:java}
@Test
void testThrowsNPE() {
assertThrows(NullPointerException.class, () -> {
@SuppressWarnings("deprecation")
SevenZFile sevenZFile = new
SevenZFile(Files.newByteChannel(getFile("broken-sample.7z").toPath()), "foo");
});
}{code}
But I am still working on creating an input file that can lead to this issue.
Just wanted to let you know.
Also wanted to get your feedback and any suggestion. Thank you.
was (Author: JIRAUSER307605):
[~ggregory]
In regards to a unit case showcasing the issue, *readFilesInfo* method is
private and only reachable by calling a public constructor so I started out
with writing the following test
{code:java}
@Test void testThrowsNPE() {
assertThrows(NullPointerException.class, () -> {
@SuppressWarnings("deprecation") SevenZFile sevenZFile = new
SevenZFile(Files.newByteChannel(getFile("broken-sample.7z").toPath()), "foo");
}); }{code}
But I am still working on creating an input file that can lead to this issue.
Just wanted to let you know.
Also wanted to get your feedback and any suggestion. Thank you.
> Potential Null Pointer Dereference in SevenZFile.java
> -----------------------------------------------------
>
> Key: COMPRESS-688
> URL: https://issues.apache.org/jira/browse/COMPRESS-688
> Project: Commons Compress
> Issue Type: Bug
> Affects Versions: 1.26.0, 1.26.1, 1.26.2, 1.27.1
> Reporter: Zaki
> Priority: Minor
>
> h2. Reporting a bug found by iCR
> In file:
> [SevenZFile.java|https://github.com/apache/commons-compress/blob/master/src/main/java/org/apache/commons/compress/archivers/sevenz/SevenZFile.java#L1252],
> there is a potential case of null pointer dereference. In method
> *readFilesInfo* inside class {*}SevenZFile{*}, there are calls to *readBits*
> inside *NID.kEmptyFile* and *NID.kAnti* cases of the switch statement. One of
> the parameters passed to the method is {*}isEmptyStream.cardinality(){*}.
> *isEmptyStream* is initialized to null and this can lead to
> *NullPointerException* if *NID.kEmptyFile* or *NID.kAnti* case is encountered
> before *NID.kEmptyStream* which assigns value to {*}isEmptyStream{*}. So iCR
> suggests proper null checking before invoking `{*}cardinality(){*}` on
> {*}isEmptyStream{*}.
>
> {code:java}
> private void readFilesInfo(final ByteBuffer header, final Archive
> archive) throws IOException {
> final int numFilesInt = (int) readUint64(header);
> final Map<Integer, SevenZArchiveEntry> fileMap = new
> LinkedHashMap<>();
> BitSet isEmptyStream = null;
> BitSet isEmptyFile = null;
> BitSet isAnti = null;
> while (true) {
> final int propertyType = getUnsignedByte(header);
> if (propertyType == 0) {
> break;
> }
> final long size = readUint64(header);
> switch (propertyType) {
> case NID.kEmptyStream: {
> isEmptyStream = readBits(header, numFilesInt);
> break;
> }
> case NID.kEmptyFile: {
> isEmptyFile = readBits(header, isEmptyStream.cardinality());
> break;
> }
> case NID.kAnti: {
> isAnti = readBits(header, isEmptyStream.cardinality());
> break;
> }
>
> ...
>
> }{code}
>
> It is not immediately clear whether *NID.kEmptyStream* would always be
> entered before either *NID.kEmptyFile* or {*}NID.kAnti{*}. If that is indeed
> the case then this issue can be ignored at your discretion.
> h3. Sponsorship and Support
> This work is done by the security researchers from OpenRefactory and is
> supported by the [Open Source Security Foundation
> (OpenSSF)|https://openssf.org/]: [Project
> Alpha-Omega|https://alpha-omega.dev/]. Alpha-Omega is a project partnering
> with open source software project maintainers to systematically find new,
> as-yet-undiscovered vulnerabilities in open source code - and get them fixed
> - to improve global software supply chain security.
> The bug is found by running the iCR tool by [OpenRefactory,
> Inc.|https://openrefactory.com/] and then manually triaging the results.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
