kali834x opened a new pull request, #1135: URL: https://github.com/apache/poi/pull/1135
When constructing a `ZipArchiveFakeEntry`, temporary resources (`TempFile` or `EncryptedTempData`) are allocated before the entry is fully initialized. If `IOUtils.copy(...)` throws an exception (e.g., Zip Bomb detection or an I/O failure), the constructor exits before returning an object reference. In this failure path, the partially constructed `ZipArchiveFakeEntry` is never returned to `ZipInputStreamZipEntrySource` and is never added to the `zipEntries` map. Therefore, the cleanup logic introduced in PR #1128—which only closes successfully added entries—cannot reach these resources. As a result, the temporary file or encrypted temporary data allocated by the failed constructor can remain on disk, causing a resource leak. This fix adds constructor-level cleanup using a `try-finally` block to ensure that any allocated resources are released if initialization does not complete successfully. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
