[
https://issues.apache.org/jira/browse/COMPRESS-688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17895938#comment-17895938
]
Gary D. Gregory edited comment on COMPRESS-688 at 11/8/24 12:55 PM:
--------------------------------------------------------------------
Hello [~zaki023]
Please provide a failing unit tests that demonstrates the issue.
You might need to create a broken (or not) file.
Please post the description in... the description field, not a PDF which could
be corrupted, the irony! 😉
Gary
was (Author: garydgregory):
Hello [~zaki023]
Please provide a failing unit tests that demonstrates the issue.
You might need to create a broken (or not) file.
Please post the description in... the description field, not a PDF which be
corrupted, the irony! 😉
Gary
> Potential Null Pointer Dereference in SevenZFile.java
> -----------------------------------------------------
>
> Key: COMPRESS-688
> URL: https://issues.apache.org/jira/browse/COMPRESS-688
> Project: Commons Compress
> Issue Type: Bug
> Affects Versions: 1.26.0, 1.26.1, 1.26.2, 1.27.1
> Reporter: Zaki
> Priority: Minor
>
> h2. Reporting a bug found by iCR
> In file:
> [SevenZFile.java|https://github.com/apache/commons-compress/blob/master/src/main/java/org/apache/commons/compress/archivers/sevenz/SevenZFile.java#L1252],
> there is a potential case of null pointer dereference. In method
> *readFilesInfo* inside class {*}SevenZFile{*}, there are calls to *readBits*
> inside *NID.kEmptyFile* and *NID.kAnti* cases of the switch statement. One of
> the parameters passed to the method is {*}isEmptyStream.cardinality(){*}.
> *isEmptyStream* is initialized to null and this can lead to
> *NullPointerException* if *NID.kEmptyFile* or *NID.kAnti* case is encountered
> before *NID.kEmptyStream* which assigns value to {*}isEmptyStream{*}. So iCR
> suggests proper null checking before invoking `{*}cardinality(){*}` on
> {*}isEmptyStream{*}.
> Â
> {code:java}
> Â Â private void readFilesInfo(final ByteBuffer header, final Archive
> archive) throws IOException {
> Â Â Â Â final int numFilesInt = (int) readUint64(header);
> Â Â Â Â final Map<Integer, SevenZArchiveEntry> fileMap = new
> LinkedHashMap<>();
> Â Â Â Â BitSet isEmptyStream = null;
> Â Â Â Â BitSet isEmptyFile = null;
> Â Â Â Â BitSet isAnti = null;
> Â Â Â Â while (true) {
> Â Â Â Â Â Â final int propertyType = getUnsignedByte(header);
> Â Â Â Â Â Â if (propertyType == 0) {
> Â Â Â Â Â Â Â Â break;
> Â Â Â Â Â Â }
> Â Â Â Â Â Â final long size = readUint64(header);
> Â Â Â Â Â Â switch (propertyType) {
> Â Â Â Â Â Â case NID.kEmptyStream: {
> Â Â Â Â Â Â Â Â isEmptyStream = readBits(header, numFilesInt);
> Â Â Â Â Â Â Â Â break;
> Â Â Â Â Â Â }
> Â Â Â Â Â Â case NID.kEmptyFile: {
> Â Â Â Â Â Â Â Â isEmptyFile = readBits(header, isEmptyStream.cardinality());
> Â Â Â Â Â Â Â Â break;
> Â Â Â Â Â Â }
> Â Â Â Â Â Â case NID.kAnti: {
> Â Â Â Â Â Â Â Â isAnti = readBits(header, isEmptyStream.cardinality());
> Â Â Â Â Â Â Â Â break;
> Â Â Â Â Â Â }Â
> Â Â Â Â Â
> ... Â
>
> }{code}
> Â
> It is not immediately clear whether *NID.kEmptyStream* would always be
> entered before either *NID.kEmptyFile* or {*}NID.kAnti{*}. If that is indeed
> the case then this issue can be ignored at your discretion.
> h3. Sponsorship and Support
> This work is done by the security researchers from OpenRefactory and is
> supported by the [Open Source Security Foundation
> (OpenSSF)|https://openssf.org/]: [Project
> Alpha-Omega|https://alpha-omega.dev/]. Alpha-Omega is a project partnering
> with open source software project maintainers to systematically find new,
> as-yet-undiscovered vulnerabilities in open source code - and get them fixed
> - to improve global software supply chain security.
> The bug is found by running the iCR tool by [OpenRefactory,
> Inc.|https://openrefactory.com/] and then manually triaging the results.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
