On Wed, 15 Nov 2023 20:13:15 GMT, Eirik Bjorsnos <d...@openjdk.org> wrote:
>> src/java.base/share/classes/java/util/zip/ZipInputStream.java line 581:
>>
>>> 579: if ((flag & 8) == 8) {
>>> 580: /* "Data Descriptor" present */
>>> 581: if (hasZip64Extra(e) ||
>>
>> You probably want to consider updating `readLOC` to make sure the extralen
>> is != 0 if the appropriate fields are set to either 0xFFFF or 0xFFFFFFFF or
>> update `hasZip64Extra` to do the validation
>
> I think I prefer keeping this PR maintaining a strict focus on expanding the
> set of readable files to include those that use Zip64 extra fields for < 2GB
> entries with data descriptors.
>
> Would you be ok with that?
>
> Adding validation to `readLOC` is a fair effort, but I would prefer this to
> be done in a separate PR, similar to your work on adding Zip64 validation to
> ZipFile.
>
> I wouldn't mind looking into that, but perhaps you would like to handle it,
> given your comment above about spending some time on `ZipInputStream` in the
> following days?
A follow on PR is fine. Why don't you take that on seeing you already have
your sleeves rolled up in this area :-)
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/12524#discussion_r1394744061
