Copilot commented on code in PR #780:
URL: https://github.com/apache/commons-compress/pull/780#discussion_r3547048566
##########
src/main/java/org/apache/commons/compress/archivers/tar/TarFile.java:
##########
@@ -371,6 +373,12 @@ private void buildSparseInputStreams() throws IOException {
}
// only store the input streams with non-zero size
if (sparseHeader.getNumbytes() > 0) {
+ dataBytes += sparseHeader.getNumbytes();
Review Comment:
`dataBytes += sparseHeader.getNumbytes()` can overflow for crafted sparse
maps with very large `numbytes`, which could wrap `dataBytes` negative and
bypass the new `dataBytes > currEntry.getSize()` guard. Use exact-add semantics
(or an explicit overflow check) when accumulating physical sparse block bytes
so corrupted archives can’t evade the size limit via integer overflow.
##########
src/main/java/org/apache/commons/compress/archivers/tar/TarArchiveInputStream.java:
##########
@@ -380,6 +382,13 @@ private void buildSparseInputStreams() throws IOException {
}
// only store the input streams with non-zero size
if (sparseHeader.getNumbytes() > 0) {
+ dataBytes += sparseHeader.getNumbytes();
Review Comment:
`dataBytes += sparseHeader.getNumbytes()` can overflow for crafted sparse
maps with very large `numbytes`, which could wrap `dataBytes` and bypass the
new `dataBytes > currEntry.getSize()` guard. Accumulate using an
overflow-checking add (e.g., `ArchiveException.addExact`) so malicious archives
can’t evade the entry-size limit via integer overflow.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]