You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by bo...@apache.org on 2021/05/01 13:48:31 UTC
[commons-compress] 04/05: COMPRESS-567 overlooked a
RuntimeException in BoundedArchiveInputStream
This is an automated email from the ASF dual-hosted git repository.
bodewig pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-compress.git
commit 30ff58d0f120b01e74db83eaee9f819fcf840843
Author: Stefan Bodewig <bo...@apache.org>
AuthorDate: Sat May 1 15:43:37 2021 +0200
COMPRESS-567 overlooked a RuntimeException in BoundedArchiveInputStream
unfortunately I cannot change the signature of
BoundedArchiveInputStream's constructor as the way it is used in
ZipFile doesn't allow it to throw an IOException without breaking
backwards compatibility of ZipFile#getRawInputStream
---
src/main/java/org/apache/commons/compress/archivers/tar/TarFile.java | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/main/java/org/apache/commons/compress/archivers/tar/TarFile.java b/src/main/java/org/apache/commons/compress/archivers/tar/TarFile.java
index 2ba4ee2..378d4a5 100644
--- a/src/main/java/org/apache/commons/compress/archivers/tar/TarFile.java
+++ b/src/main/java/org/apache/commons/compress/archivers/tar/TarFile.java
@@ -359,6 +359,10 @@ public class TarFile implements Closeable {
if (sparseHeader.getNumbytes() > 0) {
final long start =
currEntry.getDataOffset() + sparseHeader.getOffset() - numberOfZeroBytesInSparseEntry;
+ if (start + sparseHeader.getNumbytes() < start) {
+ // possible integer overflow
+ throw new IOException("Unreadable TAR archive, sparse block offset or length too big");
+ }
streams.add(new BoundedSeekableByteChannelInputStream(start, sparseHeader.getNumbytes(), archive));
}