This is an automated email from the ASF dual-hosted git repository.
fanningpj pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/poi.git
The following commit(s) were added to refs/heads/trunk by this push:
new 715ddce9aa support upcoming COMPRESS-598 change
715ddce9aa is described below
commit 715ddce9aa189297f11cc46627defcc3f0d38598
Author: PJ Fanning <[email protected]>
AuthorDate: Fri Mar 6 12:57:54 2026 +0100
support upcoming COMPRESS-598 change
---
.../poi/openxml4j/util/ZipArchiveThresholdInputStream.java | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git
a/poi-ooxml/src/main/java/org/apache/poi/openxml4j/util/ZipArchiveThresholdInputStream.java
b/poi-ooxml/src/main/java/org/apache/poi/openxml4j/util/ZipArchiveThresholdInputStream.java
index fe6c77150b..65e79b1f39 100644
---
a/poi-ooxml/src/main/java/org/apache/poi/openxml4j/util/ZipArchiveThresholdInputStream.java
+++
b/poi-ooxml/src/main/java/org/apache/poi/openxml4j/util/ZipArchiveThresholdInputStream.java
@@ -27,6 +27,8 @@ import java.util.zip.ZipException;
import org.apache.commons.compress.archivers.zip.ZipArchiveEntry;
import org.apache.commons.compress.archivers.zip.ZipArchiveInputStream;
import org.apache.commons.compress.utils.InputStreamStatistics;
+import org.apache.logging.log4j.Logger;
+import org.apache.poi.logging.PoiLogManager;
import org.apache.poi.openxml4j.exceptions.NotOfficeXmlFileException;
import org.apache.poi.util.IOUtils;
import org.apache.poi.util.Internal;
@@ -36,6 +38,8 @@ import static org.apache.poi.openxml4j.util.ZipSecureFile.*;
@Internal
public class ZipArchiveThresholdInputStream extends FilterInputStream {
+ private static final Logger LOG =
PoiLogManager.getLogger(ZipArchiveThresholdInputStream.class);
+
private static final String MAX_ENTRY_SIZE_MSG =
"Zip bomb detected! The file would exceed the max size of the expanded
data in the zip-file.\n" +
"This may indicates that the file is used to inflate memory usage and
thus could pose a security risk.\n" +
@@ -112,11 +116,14 @@ public class ZipArchiveThresholdInputStream extends
FilterInputStream {
long rawSize;
try {
rawSize = stats.getCompressedCount();
- } catch (NullPointerException e) {
+ } catch (Exception e) {
// this can happen with a very specially crafted file
// see https://issues.apache.org/jira/browse/COMPRESS-598 for a
related bug-report
// therefore we try to handle this gracefully for now
// this try/catch can be removed when COMPRESS-598 is fixed
+ // March 2026: there is an unreleased change for COMPRESS-598
which changes the NPE
+ // to a ZipException. To future proof the code, I will catch any
exception here.
+ LOG.warn("Unable to get the compress count for this compressed
stream meaning the zip bomb check can't be done");
rawSize = 0;
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
