[
https://issues.apache.org/jira/browse/COMPRESS-331?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15113966#comment-15113966
]
Jeremy Gustie commented on COMPRESS-331:
----------------------------------------
There are a number of garbage values in the first entry (the one whose
{{isCheckSumOK}} is called): perhaps in addition to the current
{{isCheckSumOK}} check the archive stream factory can also sanity check
something like the device number.
>From my understanding of the comments, another possibility might be only
>allowing the {{storedSum > unsignedSum}} check if the magic is blank. The
>magic would need to be captured like stored sum is now for this additional
>check (it looks like the magic offset is already a constant).
Here are the values on the entry I am seeing from the {{ic_secure.png}} (note
that I zapped a bunch of Gremlins in the name to avoid problems) just in case
some one has some better ideas for how to quickly identify obviously bad
entries:
|{{checkSumOK}}|{{true}}|
|{{devMajor}}|{{2134088}}|
|{{devMinor}}|{{2363913}}|
|{{file}}|{{null}}|
|{{groupId}}|{{2134088}}|
|{{groupName}}|{{"01101101101101101101101101101101"}}|
|{{isExtended}}|{{false}}|
|{{linkFlag}}|{{48}}|
|{{linkName}}|{{"1101101101101101101101101101101101101101101101101101101101101101101101101101101101101101101101101101"}}|
|{{magic}}|{{"101101"}}|
|{{mode}}|{{2363913}}|
|{{modTime}}|{{9682587720}}|
|{{name}}|{{"01101101101101...blah...blah...blah...PNG...blah...blah...blah...110110110110110110110110110110110"}}|
|{{realSize}}|{{0}}|
|{{size}}|{{9682587720}}|
|{{userId}}|{{295489}}|
|{{userName}}|{{"11011011011011011011011011011011"}}|
|{{version}}|{{"10"}}|
> Some non TAR files are recognized by ArchiveStreamFactory
> ---------------------------------------------------------
>
> Key: COMPRESS-331
> URL: https://issues.apache.org/jira/browse/COMPRESS-331
> Project: Commons Compress
> Issue Type: Bug
> Components: Archivers
> Affects Versions: 1.10
> Reporter: Jeremy Gustie
> Attachments: ic_secure.png
>
>
> I ran into a case where a PNG file is being recognized as TAR because
> {{TarUtils.verifyCheckSum}} reports it as having a valid checksum (in this
> case the code thinks the stored checksum is 36936, unsigned is 31155 and
> signed is 19635). Because the stored checksum value is larger then the
> unsigned checksum it is treated as a valid TAR.
> I haven't spent enough time digging into the problem to see if there is a
> good alternative to the existing check that doesn't have false positives like
> this PNG file (which, if anyone is interested comes from an Android download).
> Also, I noticed a minor thing in the code: the comment in
> {{TarUtils.verifyCheckSum}} has the wrong bug number listed (it says 177
> instead of 117).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
