Re: [PR] fix: Restore incremental file name handling [commons-compress]

Tue, 26 Aug 2025 23:15:07 -0700 


ppkarwasz commented on code in PR #698:
URL: https://github.com/apache/commons-compress/pull/698#discussion_r2302955511


##########
src/main/java/org/apache/commons/compress/archivers/tar/TarUtils.java:
##########
@@ -883,22 +885,32 @@ private static long[] readLineOfNumberForPax1x(final 
InputStream inputStream) th
      * @throws IOException if an I/O error occurs or the entry is truncated.
      * @throws ArchiveException if the entry size is invalid.
      */
-    private static String readLongName(final InputStream input, final 
ZipEncoding encoding, final TarArchiveEntry entry)
+    static String readLongName(final InputStream input, final ZipEncoding 
encoding, final TarArchiveEntry entry)
             throws IOException {
         final long size = entry.getSize();
+        // The encoding requires a byte array, whose size must be a positive 
int.
         if (size > Integer.MAX_VALUE) {
-            throw new ArchiveException("Invalid long name size: " + 
entry.getSize());
-        }
-        final int sizeInt = (int) size;
-        final byte[] buffer = new byte[sizeInt];
-        if (IOUtils.readFully(input, buffer, 0, sizeInt) < sizeInt) {
-            throw new ArchiveException("TAR entry is truncated.");
-        }
-        int length = buffer.length;
-        while (length > 0 && buffer[length - 1] == 0) {
+            throw new ArchiveException("Invalid long name entry: size %d 
exceeds maximum allowed.", entry.getSize());
+        }
+        // Read the long name incrementally to limit memory allocation in case 
of a corrupted entry.
+        final BoundedInputStream boundedInput = BoundedInputStream.builder()
+                .setInputStream(input)
+                .setMaxCount(size)
+                .setPropagateClose(false)
+                .get();
+        final UnsynchronizedByteArrayOutputStream outputStream = 
UnsynchronizedByteArrayOutputStream.builder()
+                
.setBufferSize(org.apache.commons.io.IOUtils.DEFAULT_BUFFER_SIZE)

Review Comment:
   This class already imports `o.a.c.compress.utils.IOUtils`, so I need the 
FQCN to refer to `o.a.c.io.IOUtils`.
   
   However, looking at the implementation of 
`UnsynchronizedByteArrayOutputStream`, I don't really need it since this is 
already the default buffer size and the same buffer size is used in 
`IOUtils.copyLarge`. Fixed in 
https://github.com/apache/commons-compress/pull/698/commits/2aafade4dd65e0a8d74a6a6e880cfa7c0434c459.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to