You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by bo...@apache.org on 2020/05/31 12:06:01 UTC

[commons-compress] branch master updated: COMPRESS-532 properly handle corrupt IMPLODED streams

This is an automated email from the ASF dual-hosted git repository.

bodewig pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-compress.git


The following commit(s) were added to refs/heads/master by this push:
     new 6bbc7cb  COMPRESS-532 properly handle corrupt IMPLODED streams
6bbc7cb is described below

commit 6bbc7cb147d57c3db812be17d462a802ee46e26c
Author: Stefan Bodewig <bo...@apache.org>
AuthorDate: Sun May 31 14:05:33 2020 +0200

    COMPRESS-532 properly handle corrupt IMPLODED streams
---
 src/changes/changes.xml                                      |  5 +++++
 .../commons/compress/archivers/zip/ExplodingInputStream.java |  6 +++++-
 .../compress/archivers/zip/ZipArchiveInputStream.java        | 12 ++++++++----
 .../org/apache/commons/compress/archivers/zip/ZipFile.java   |  8 ++++++--
 4 files changed, 24 insertions(+), 7 deletions(-)

diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index 22da036..9c6d8b5 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -103,6 +103,11 @@ The <action> type attribute can be add,update,fix,remove.
         Throw IOException when a a tar archive contains a PAX header
         without any normal entry follwoing it.
       </action>
+      <action issue="COMPRESS-532" type="fix" date="2020-05-31">
+        Added improved checks to detect corrupted IMPLODED streams and
+        throw the expected IOException rather than obscure
+        RuntimeExceptions.
+      </action>
     </release>
     <release version="1.20" date="2020-02-08"
              description="Release 1.20">
diff --git a/src/main/java/org/apache/commons/compress/archivers/zip/ExplodingInputStream.java b/src/main/java/org/apache/commons/compress/archivers/zip/ExplodingInputStream.java
index 24a0920..fba165b 100644
--- a/src/main/java/org/apache/commons/compress/archivers/zip/ExplodingInputStream.java
+++ b/src/main/java/org/apache/commons/compress/archivers/zip/ExplodingInputStream.java
@@ -116,7 +116,11 @@ class ExplodingInputStream extends InputStream implements InputStreamStatistics
     @Override
     public int read() throws IOException {
         if (!buffer.available()) {
-            fillBuffer();
+            try {
+                fillBuffer();
+            } catch (IllegalArgumentException ex) {
+                throw new IOException("bad IMPLODE stream", ex);
+            }
         }
 
         final int ret = buffer.get();
diff --git a/src/main/java/org/apache/commons/compress/archivers/zip/ZipArchiveInputStream.java b/src/main/java/org/apache/commons/compress/archivers/zip/ZipArchiveInputStream.java
index 5306590..8246689 100644
--- a/src/main/java/org/apache/commons/compress/archivers/zip/ZipArchiveInputStream.java
+++ b/src/main/java/org/apache/commons/compress/archivers/zip/ZipArchiveInputStream.java
@@ -359,10 +359,14 @@ public class ZipArchiveInputStream extends ArchiveInputStream implements InputSt
                     current.in = new UnshrinkingInputStream(bis);
                     break;
                 case IMPLODING:
-                    current.in = new ExplodingInputStream(
-                        current.entry.getGeneralPurposeBit().getSlidingDictionarySize(),
-                        current.entry.getGeneralPurposeBit().getNumberOfShannonFanoTrees(),
-                        bis);
+                    try {
+                        current.in = new ExplodingInputStream(
+                            current.entry.getGeneralPurposeBit().getSlidingDictionarySize(),
+                            current.entry.getGeneralPurposeBit().getNumberOfShannonFanoTrees(),
+                            bis);
+                    } catch (IllegalArgumentException ex) {
+                        throw new IOException("bad IMPLODE data", ex);
+                    }
                     break;
                 case BZIP2:
                     current.in = new BZip2CompressorInputStream(bis);
diff --git a/src/main/java/org/apache/commons/compress/archivers/zip/ZipFile.java b/src/main/java/org/apache/commons/compress/archivers/zip/ZipFile.java
index 45862a8..9cba350 100644
--- a/src/main/java/org/apache/commons/compress/archivers/zip/ZipFile.java
+++ b/src/main/java/org/apache/commons/compress/archivers/zip/ZipFile.java
@@ -577,8 +577,12 @@ public class ZipFile implements Closeable {
             case UNSHRINKING:
                 return new UnshrinkingInputStream(is);
             case IMPLODING:
-                return new ExplodingInputStream(ze.getGeneralPurposeBit().getSlidingDictionarySize(),
-                        ze.getGeneralPurposeBit().getNumberOfShannonFanoTrees(), is);
+                try {
+                    return new ExplodingInputStream(ze.getGeneralPurposeBit().getSlidingDictionarySize(),
+                            ze.getGeneralPurposeBit().getNumberOfShannonFanoTrees(), is);
+                } catch (IllegalArgumentException ex) {
+                    throw new IOException("bad IMPLODE data", ex);
+                }
             case DEFLATED:
                 final Inflater inflater = new Inflater(true);
                 // Inflater with nowrap=true has this odd contract for a zero padding