This is an automated email from the ASF dual-hosted git repository. ggregory pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/commons-compress.git
The following commit(s) were added to refs/heads/master by this push: new 4c9659c4e [COMPRESS-647] Throw IOException instead of ArrayIndexOutOfBoundsException when reading Zip with data descriptor entries. 4c9659c4e is described below commit 4c9659c4ea66839e9219b3368b95af49dd032ba9 Author: Gary Gregory <garydgreg...@gmail.com> AuthorDate: Fri Nov 10 16:06:11 2023 -0500 [COMPRESS-647] Throw IOException instead of ArrayIndexOutOfBoundsException when reading Zip with data descriptor entries. --- src/changes/changes.xml | 1 + .../archivers/zip/ZipArchiveInputStream.java | 4 ++++ .../archivers/zip/ZipArchiveInputStreamTest.java | 19 +++++++++++++++++++ src/test/resources/COMPRESS-647/test.zip | Bin 0 -> 107 bytes 4 files changed, 24 insertions(+) diff --git a/src/changes/changes.xml b/src/changes/changes.xml index ceabe3e6d..9359f8210 100644 --- a/src/changes/changes.xml +++ b/src/changes/changes.xml @@ -88,6 +88,7 @@ The <action> type attribute can be add,update,fix,remove. <action type="fix" dev="ggregory" due-to="Gary Gregory">Calling PackingUtils.config(PackingOptions) with null now closes the internal FileHandler.</action> <action type="fix" issue="COMPRESS-650" dev="ggregory" due-to="Chad Preisler">LZ4 compressor throws IndexOutOfBoundsException.</action> <action type="fix" issue="COMPRESS-632" dev="ggregory" due-to="Yakov Shafranovich, Gary Gregory">LZWInputStream.initializeTables(int) should throw IllegalArgumentException instead of ArrayIndexOutOfBoundsException.</action> + <action type="fix" issue="COMPRESS-647" dev="ggregory" due-to="Robin Schimpf, Gary Gregory">Throw IOException instead of ArrayIndexOutOfBoundsException when reading Zip with data descriptor entries.</action> <!-- UPDATE --> <action type="update" dev="ggregory" due-to="Dependabot">Bump org.slf4j:slf4j-api from 2.0.8 to 2.0.9 #413.</action> <action type="update" dev="ggregory" due-to="Gary Gregory">Bump commons-io:commons-io from 2.13.0 to 2.15.0.</action> diff --git a/src/main/java/org/apache/commons/compress/archivers/zip/ZipArchiveInputStream.java b/src/main/java/org/apache/commons/compress/archivers/zip/ZipArchiveInputStream.java index dafa78b72..7b750ad07 100644 --- a/src/main/java/org/apache/commons/compress/archivers/zip/ZipArchiveInputStream.java +++ b/src/main/java/org/apache/commons/compress/archivers/zip/ZipArchiveInputStream.java @@ -984,6 +984,10 @@ public class ZipArchiveInputStream extends ArchiveInputStream<ZipArchiveEntry> i } private void pushback(final byte[] buf, final int offset, final int length) throws IOException { + if (offset < 0) { + // Instead of ArrayIndexOutOfBoundsException + throw new IOException(String.format("Negative offset %,d into buffer", offset)); + } ((PushbackInputStream) inputStream).unread(buf, offset, length); pushedBackBytes(length); } diff --git a/src/test/java/org/apache/commons/compress/archivers/zip/ZipArchiveInputStreamTest.java b/src/test/java/org/apache/commons/compress/archivers/zip/ZipArchiveInputStreamTest.java index 0189a666a..b172724a5 100644 --- a/src/test/java/org/apache/commons/compress/archivers/zip/ZipArchiveInputStreamTest.java +++ b/src/test/java/org/apache/commons/compress/archivers/zip/ZipArchiveInputStreamTest.java @@ -24,6 +24,7 @@ import static org.junit.jupiter.api.Assertions.assertNotNull; import static org.junit.jupiter.api.Assertions.assertNull; import static org.junit.jupiter.api.Assertions.assertThrows; import static org.junit.jupiter.api.Assertions.assertTrue; +import static org.junit.jupiter.api.Assertions.fail; import java.io.BufferedInputStream; import java.io.ByteArrayInputStream; @@ -35,6 +36,7 @@ import java.io.InputStream; import java.nio.channels.Channels; import java.nio.channels.SeekableByteChannel; import java.nio.file.Files; +import java.nio.file.Paths; import java.time.Instant; import java.util.Arrays; import java.util.zip.ZipEntry; @@ -47,6 +49,8 @@ import org.apache.commons.compress.archivers.ArchiveStreamFactory; import org.apache.commons.compress.utils.ByteUtils; import org.apache.commons.compress.utils.IOUtils; import org.junit.jupiter.api.Test; +import org.junit.jupiter.params.ParameterizedTest; +import org.junit.jupiter.params.provider.ValueSource; public class ZipArchiveInputStreamTest extends AbstractTest { @@ -709,4 +713,19 @@ public class ZipArchiveInputStreamTest extends AbstractTest { getAllZipEntries(zipInputStream); } } + + @ParameterizedTest + @ValueSource(booleans = { true, false }) + public void zipInputStream(final boolean allowStoredEntriesWithDataDescriptor) { + try (ZipArchiveInputStream zIn = new ZipArchiveInputStream( + Files.newInputStream(Paths.get("src/test/resources/COMPRESS-647/test.zip")), "UTF-8", false, + allowStoredEntriesWithDataDescriptor)) { + ZipArchiveEntry zae = zIn.getNextEntry(); + while (zae != null) { + zae = zIn.getNextEntry(); + } + } catch (IOException e) { + // Ignore expected exception + } + } } diff --git a/src/test/resources/COMPRESS-647/test.zip b/src/test/resources/COMPRESS-647/test.zip new file mode 100644 index 000000000..af688fd12 Binary files /dev/null and b/src/test/resources/COMPRESS-647/test.zip differ