[
https://issues.apache.org/jira/browse/COMPRESS-490?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Stefan Bodewig updated COMPRESS-490:
------------------------------------
Fix Version/s: 1.19
> [lz4] Multiple unchecked exceptions when decompressing malformed input
> ----------------------------------------------------------------------
>
> Key: COMPRESS-490
> URL: https://issues.apache.org/jira/browse/COMPRESS-490
> Project: Commons Compress
> Issue Type: Bug
> Components: Compressors
> Affects Versions: 1.18
> Environment: MacOS Mojave
> openjdk version "1.8.0_212"
> OpenJDK Runtime Environment (AdoptOpenJDK)(build 1.8.0_212-b03)
> OpenJDK 64-Bit Server VM (AdoptOpenJDK)(build 25.212-b03, mixed mode)
> Reporter: Alex Rebert
> Priority: Minor
> Fix For: 1.19
>
> Attachments: ArithmeticException, ArrayIndexOutOfBoundsException1,
> ArrayIndexOutOfBoundsException2
>
>
> Encountered multiple unchecked exceptions thrown from
> {{FramedLZ4CompressorInputStream.read}} when parsing malformed files.
> {{ArrayIndexOutOfBoundsException}} and {{ArithmeticException}} are unchecked
> exceptions that are not documented in this API; therefore, such exceptions
> can cause stability issues in applications that are not expecting them.
> Instead, an {{IOException}} should be thrown indicating that the input stream
> contains malformed data.
> Stack traces for three distinct (but possibly related) sources of exceptions
> follow:
> {noformat}
> java.lang.ArithmeticException: / by zero
> at
> org.apache.commons.compress.compressors.lz77support.AbstractLZ77CompressorInputStream.tryToCopy(AbstractLZ77CompressorInputStream.java:314)
> at
> org.apache.commons.compress.compressors.lz77support.AbstractLZ77CompressorInputStream.readBackReference(AbstractLZ77CompressorInputStream.java:291)
> at
> org.apache.commons.compress.compressors.lz4.BlockLZ4CompressorInputStream.read(BlockLZ4CompressorInputStream.java:83)
> at
> org.apache.commons.compress.compressors.lz4.FramedLZ4CompressorInputStream.readOnce(FramedLZ4CompressorInputStream.java:328)
> at
> org.apache.commons.compress.compressors.lz4.FramedLZ4CompressorInputStream.read(FramedLZ4CompressorInputStream.java:145)
> at java.io.InputStream.read(InputStream.java:101)
> {noformat}
> {noformat}
> java.lang.ArrayIndexOutOfBoundsException
> at java.lang.System.arraycopy(Native Method)
> at
> org.apache.commons.compress.compressors.lz77support.AbstractLZ77CompressorInputStream.tryToCopy(AbstractLZ77CompressorInputStream.java:308)
> at
> org.apache.commons.compress.compressors.lz77support.AbstractLZ77CompressorInputStream.readBackReference(AbstractLZ77CompressorInputStream.java:291)
> at
> org.apache.commons.compress.compressors.lz4.BlockLZ4CompressorInputStream.read(BlockLZ4CompressorInputStream.java:83)
> at
> org.apache.commons.compress.compressors.lz4.FramedLZ4CompressorInputStream.readOnce(FramedLZ4CompressorInputStream.java:328)
> at
> org.apache.commons.compress.compressors.lz4.FramedLZ4CompressorInputStream.read(FramedLZ4CompressorInputStream.java:145)
> at java.io.InputStream.read(InputStream.java:101)
> {noformat}
> {noformat}
> java.lang.ArrayIndexOutOfBoundsException: -1
> at
> org.apache.commons.compress.compressors.lz77support.AbstractLZ77CompressorInputStream.tryToCopy(AbstractLZ77CompressorInputStream.java:304)
> at
> org.apache.commons.compress.compressors.lz77support.AbstractLZ77CompressorInputStream.readBackReference(AbstractLZ77CompressorInputStream.java:291)
> at
> org.apache.commons.compress.compressors.lz4.BlockLZ4CompressorInputStream.read(BlockLZ4CompressorInputStream.java:83)
> at
> org.apache.commons.compress.compressors.lz4.BlockLZ4CompressorInputStream.read(BlockLZ4CompressorInputStream.java:75)
> at
> org.apache.commons.compress.compressors.lz4.FramedLZ4CompressorInputStream.readOnce(FramedLZ4CompressorInputStream.java:328)
> at
> org.apache.commons.compress.compressors.lz4.FramedLZ4CompressorInputStream.read(FramedLZ4CompressorInputStream.java:145)
> at java.io.InputStream.read(InputStream.java:101)
> {noformat}
> The inputs were automatically generated by fuzzing, by repeatedly mutating
> random bytes in a well-formed file.
>
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
