[
https://issues.apache.org/jira/browse/COMPRESS-713?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18043151#comment-18043151
]
Philip Betzler-Braun edited comment on COMPRESS-713 at 12/6/25 7:04 AM:
------------------------------------------------------------------------
Okay, thank you! :)
I'm a little insecure here on how to help the best and do not want to waste
your time.
I'll keep adding them. If they are at any point not helpful then please tell
me, I could use that to get better! :)
was (Author: JIRAUSER311490):
Okay, thank you! :)
I'm a little insecure here on how to help the best, because on the one side I
got rusty in terms of programming skills and you are definetly way above my
skill level and on the otherside I expect you to be very busy and do not want
to waste your time.
I'll keep adding them. If they are at any point not helpful then please tell
me, I could use that to get better! :)
> Unchecked pre-decremental notation in for-loop as array index causes
> ArrayOutOfBounds access
> --------------------------------------------------------------------------------------------
>
> Key: COMPRESS-713
> URL: https://issues.apache.org/jira/browse/COMPRESS-713
> Project: Commons Compress
> Issue Type: Bug
> Components: Compressors
> Environment: Ubuntu 24.04
> $ java --version
> openjdk 21.0.8 2025-07-15
> OpenJDK Runtime Environment (build 21.0.8+9-Ubuntu-0ubuntu124.04.1)
> OpenJDK 64-Bit Server VM (build 21.0.8+9-Ubuntu-0ubuntu124.04.1, mixed mode,
> sharing)
> Reporter: Philip Betzler-Braun
> Assignee: Gary D. Gregory
> Priority: Major
> Attachments: ArrayOutOfBoundsZipInArchiveInputStreamReproducer.java
>
>
> *Issue:*
> LZWInputStream
> (org.apache.commons.compress.compressors.lzw.LZWInputStream.expandCodeToOutputStack(LZWInputStream.java:150))
> contains a byte array outputStack with the size 8192 and an int
> outputStackLocation that is used to find the position to write to in the
> stack. In the function expandCodeToOutputStack (LZWInputStream.java:150)
> there is a C-style pre-decremental statement that is executed in a for-loop
> and never checks what it's value is and if the loop goes on for more then
> 8192 iterations, it causes an ArrayOutOfBounds access to the outputStack byte
> array.
>
> Begin: LZWInputStream.java:149
> {code:java}
> for (int entry = code; entry >= 0; entry = prefixes[entry]) {
> outputStack[--outputStackLocation] = characters[entry];
> } {code}
>
> *Suggestion:*
> * Catch the ArrayOutOfBounds exception and throw a library specific
> exception.
>
> *Reproduction:*
> (reprocuder in attached file -> intended location is:
> src/test/java/org/apache/commons/compress/archivers/zip/ArrayOutOfBoundsZipInArchiveInputStreamReproducer.java)
> [^ArrayOutOfBoundsZipInArchiveInputStreamReproducer.java]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
