[
https://issues.apache.org/jira/browse/COMPRESS-712?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18038984#comment-18038984
]
Piotr Karwasz commented on COMPRESS-712:
----------------------------------------
The {{IndexOutOfBoundsException}} occurs if {{TapeSegmentHeader}} is negative,
so I don't think we should accept it, but rather validate the number and throw
a {{DumpArchiveException}}.
Given the definitions below, I strongly suspect that {{c_count}} must be in the
range [0, 512], which would also limit the size of {{blockBuffer}} to around
512 KiB.
{code:java}
extern union u_data {
char s_addrs[TP_NINDIR]; /* 1 => data; 0 => hole in inode */
dump_ino_t s_inos[TP_NINOS]; /* table of first inode on each
volume */
} u_data;
struct header {
int32_t c_type; /* record type (see below) */
int32_t c_date; /* date of this dump */
int32_t c_ddate; /* date of previous dump */
int32_t c_volume; /* dump volume number */
uint32_t c_tapea_lo; /* logical block of this record */
dump_ino_t c_inumber; /* number of inode */
int32_t c_magic; /* magic number (see above) */
int32_t c_checksum; /* record checksum */
new_bsd_inode c_dinode;
int32_t c_count; /* number of valid c_addr entries */
union u_data c_data; /* see above */
char c_label[LBLSIZE]; /* dump label */
int32_t c_level; /* level of this dump */
char c_filesys[NAMELEN]; /* name of dumpped file system */
char c_dev[NAMELEN]; /* name of dumpped device */
char c_host[NAMELEN]; /* name of dumpped host */
int32_t c_flags; /* additional information */
uint32_t c_firstrec_lo; /* first record on volume */
int32_t c_ntrec; /* blocksize on volume */
int32_t c_extattributes; /* additional inode info */
uint32_t c_tapea_hi; /* top 32 bits of c_tapea */
uint32_t c_firstrec_hi; /* top 32 bits of c_firstrec */
int32_t c_spare[28]; /* reserved for future uses */
};
{code}
> Unsanitized read causes IndexOutOfBoundsException in
> DumpArchiveInputStream.java:359
> ------------------------------------------------------------------------------------
>
> Key: COMPRESS-712
> URL: https://issues.apache.org/jira/browse/COMPRESS-712
> Project: Commons Compress
> Issue Type: Bug
> Components: Archivers
> Environment: Ubuntu 24.04
> $ java --version
> openjdk 21.0.8 2025-07-15
> OpenJDK Runtime Environment (build 21.0.8+9-Ubuntu-0ubuntu124.04.1)
> OpenJDK 64-Bit Server VM (build 21.0.8+9-Ubuntu-0ubuntu124.04.1, mixed mode,
> sharing)
> Reporter: Philip Betzler-Braun
> Assignee: Gary D. Gregory
> Priority: Major
> Fix For: 1.29.0
>
> Attachments:
> IndexOutOfBoundsReproducerInDumpArchiveInputStream-1.java,
> IndexOutOfBoundsReproducerInDumpArchiveInputStream.java
>
>
> *Issue:*
> When reading in unsanitized data in the readDirectoryEntry(DumpArchiveEntry
> entry)
> (org/apache/commons/compress/archivers/dump/DumpArchiveInputStream.java:514)
> the call to DumpArchiveUtil.convert32(blockBuffer, i)
> (DumpArchiveInputStream.java:542) can return negative numbers that are stored
> down the line as int inos in the "name" HashMap.
> When trying to get the path of the DumpArchiveEntry
> (DumpArchiveInputStream.getPath(DumpArchiveInputStream.java:359)) the "names"
> Hashmap is used as filter befor querrying the visited inos. The visited inos
> are stored in a BitSet. If the DumpArchiveEntry or a parent directory
> contains a negative number that was also saved earlier in the "name" Hashmap,
> the get (java.base/java.util.BitSet.get(BitSet.java:626)) function is
> throwing an java.lang.IndexOutOfBoundsException.
>
> *Suggestion:*
> # Catch negative ino numbers in a wrapper function around
> DumpArchiveUtil.convert32 and throw an expected error.
> # Catch all internal (runtime) exceptions and throw a general expected
> exception.
>
> {*}Reproducer:{*}{*}{{*}}
> (attached as file -> expected position:
> src/test/java/org/apache/commons/compress/archivers/IndexOutOfBoundsReproducerInDumpArchiveInputStream.java)
> *[^IndexOutOfBoundsReproducerInDumpArchiveInputStream.java]*
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
