Philip Betzler-Braun created COMPRESS-714:
---------------------------------------------
Summary: Internal IllegalArgumentException in ZipFile and TarFile
creation is not caught
Key: COMPRESS-714
URL: https://issues.apache.org/jira/browse/COMPRESS-714
Project: Commons Compress
Issue Type: Bug
Components: Archivers
Environment: Ubuntu 24.04
$ java --version
openjdk 21.0.8 2025-07-15
OpenJDK Runtime Environment (build 21.0.8+9-Ubuntu-0ubuntu124.04.1)
OpenJDK 64-Bit Server VM (build 21.0.8+9-Ubuntu-0ubuntu124.04.1, mixed mode,
sharing)
Reporter: Philip Betzler-Braun
Attachments: IllegalArgumentInTarFileReproducer.java,
IllegalArgumentInZipFileReproducer.java
*Minor Issue:*
When creating a ZipFile or TarFile instance out of unsanitized bytes, it is
possible that the underlying class SeekableInMemoryByteChannel.position
(org.apache.commons.compress.utils.SeekableInMemoryByteChannel.position(SeekableInMemoryByteChannel.java:126))
function is called with a long value that is > Integer.MaxValue. This triggers
an IllegalArgumentException that is not catched inside the library, but hits
user code.
*Suggestion:*
* As with the DumpArchiveInputStream: Catching the RuntimeException and
throwing a specific exception.
*Reproduction:*
ZipFile reproducer location:
src/test/java/org/apache/commons/compress/archivers/zip/IllegalArgumentInZipFileReproducer.java
*[^IllegalArgumentInZipFileReproducer.java]*
TarFile reproducer location:
src/test/java/org/apache/commons/compress/archivers/tar/IllegalArgumentInTarFileReproducer.java
*[^IllegalArgumentInTarFileReproducer.java]*
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
