On Sat, 13 Nov 2021 23:16:22 GMT, Sergey Bylokhov <s...@openjdk.org> wrote:
> The ZipOutputStream class may create bogus zip data which cannot be opened by > the ZipFile. The root cause is how the comment field is stored by the > ZipOutputStream. According to the zip specification, the comment field should > not be longer than 0xFFFF bytes, and we try to validate the length of the > comment, but unfortunately, we do this after the comment was assigned > already. So if the application saves the comment based on the user's input > and then gets an exception from the ZipOutputStream.setComment() it may > assume that the comment is too long and it will be ignored, but it will be > saved as-is to the file. > > Please take a look at > [this](https://github.com/openjdk/jdk/commit/c435a0905dfae827687ed46015269f9c1b36c239#diff-736e247f0ec294323891a77e16a9f0dba8bc1872131c857edf18c3f349e750eeL117) > refactoring, and note: > * The comment field is assigned before the length check > * The null comment is ignored > > The current fix will move the length validation before being assigned and > will use the null comment as an empty text. Note that the behavior of the > null parameter is not specified in the method/class/package so we are free > here to implement it in any way, any thoughts/suggestions on which is better? This pull request has now been integrated. Changeset: e3243ee9 Author: Sergey Bylokhov <s...@openjdk.org> URL: https://git.openjdk.java.net/jdk/commit/e3243ee963d074c892a0ed16a00fd91b440c96ac Stats: 117 lines in 2 files changed: 114 ins; 0 del; 3 mod 8277087: ZipException: zip END header not found at ZipFile#Source.findEND Reviewed-by: lancea ------------- PR: https://git.openjdk.java.net/jdk/pull/6380