You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@commons.apache.org by "klaren (via GitHub)" <gi...@apache.org> on 2023/03/16 13:15:17 UTC

[GitHub] [commons-compress] klaren opened a new pull request, #368: COMPRESS-642 Integer overflow ArithmeticException in TarArchiveOutputStream

klaren opened a new pull request, #368:
URL: https://github.com/apache/commons-compress/pull/368

   I wrote a test to reproduce the issue, writing to a `NullOutputStream`, but that turned out to be really slow due to the forced 512 bytes chunking. So I opted to not include that.
   
   ```java
       @Test
       public void testWritingBigFile() throws Exception {
           final TarArchiveEntry t = new TarArchiveEntry("foo");
           t.setSize((Integer.MAX_VALUE + 1L) * TarConstants.DEFAULT_RCDSIZE);
           final TarArchiveOutputStream tos = new TarArchiveOutputStream(NullOutputStream.NULL_OUTPUT_STREAM);
           tos.setBigNumberMode(TarArchiveOutputStream.BIGNUMBER_POSIX);
           tos.putArchiveEntry(t);
   
           byte[] bytes = new byte[TarConstants.DEFAULT_RCDSIZE];
           for (int i = 0; i < Integer.MAX_VALUE; i++) {
               tos.write(bytes);
           }
           tos.closeArchiveEntry();
           tos.close();
       }
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [commons-compress] garydgregory commented on pull request #368: COMPRESS-642 Integer overflow ArithmeticException in TarArchiveOutputStream

Posted by "garydgregory (via GitHub)" <gi...@apache.org>.

garydgregory commented on PR #368:
URL: https://github.com/apache/commons-compress/pull/368#issuecomment-1472182094

   https://issues.apache.org/jira/browse/COMPRESS-642


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [commons-compress] garydgregory commented on a diff in pull request #368: COMPRESS-642 Integer overflow ArithmeticException in TarArchiveOutputStream

Posted by "garydgregory (via GitHub)" <gi...@apache.org>.

garydgregory commented on code in PR #368:
URL: https://github.com/apache/commons-compress/pull/368#discussion_r1138651600


##########
src/main/java/org/apache/commons/compress/archivers/tar/TarArchiveOutputStream.java:
##########
@@ -348,7 +348,7 @@ public void closeArchiveEntry() throws IOException {
                 + "' before the '" + currSize
                 + "' bytes specified in the header were written");
         }
-        recordsWritten = ExactMath.add(recordsWritten, (currSize / RECORD_SIZE));
+        recordsWritten += (currSize / RECORD_SIZE);
 

Review Comment:
   Remove useless parens.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [commons-compress] garydgregory commented on pull request #368: COMPRESS-642 Integer overflow ArithmeticException in TarArchiveOutputStream

Posted by "garydgregory (via GitHub)" <gi...@apache.org>.

garydgregory commented on PR #368:
URL: https://github.com/apache/commons-compress/pull/368#issuecomment-1472617339

   @klaren 
   I might get to it this weekend!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [commons-compress] garydgregory commented on pull request #368: COMPRESS-642 Integer overflow ArithmeticException in TarArchiveOutputStream

Posted by "garydgregory (via GitHub)" <gi...@apache.org>.

garydgregory commented on PR #368:
URL: https://github.com/apache/commons-compress/pull/368#issuecomment-1471944326

   > I wrote a test to reproduce the issue, writing to a `NullOutputStream`, but that turned out to be really slow due to the forced 512 bytes chunking. So I opted to not include that.
   > 
   > ```java
   >     @Test
   >     public void testWritingBigFile() throws Exception {
   >         final TarArchiveEntry t = new TarArchiveEntry("foo");
   >         t.setSize((Integer.MAX_VALUE + 1L) * TarConstants.DEFAULT_RCDSIZE);
   >         final TarArchiveOutputStream tos = new TarArchiveOutputStream(NullOutputStream.NULL_OUTPUT_STREAM);
   >         tos.setBigNumberMode(TarArchiveOutputStream.BIGNUMBER_POSIX);
   >         tos.putArchiveEntry(t);
   > 
   >         byte[] bytes = new byte[TarConstants.DEFAULT_RCDSIZE];
   >         for (int i = 0; i < Integer.MAX_VALUE; i++) {
   >             tos.write(bytes);
   >         }
   >         tos.closeArchiveEntry();
   >         tos.close();
   >     }
   > ```
   
   How slow?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [commons-compress] klaren commented on pull request #368: COMPRESS-642 Integer overflow ArithmeticException in TarArchiveOutputStream

Posted by "klaren (via GitHub)" <gi...@apache.org>.

klaren commented on PR #368:
URL: https://github.com/apache/commons-compress/pull/368#issuecomment-1472425554

   Thanks for swift response @garydgregory!
   
   Is there any time line for a new release?
   
   This issue is blocking us and CVEs prevent us from going back to version 1.21. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [commons-compress] klaren commented on pull request #368: COMPRESS-642 Integer overflow ArithmeticException in TarArchiveOutputStream

Posted by "klaren (via GitHub)" <gi...@apache.org>.

klaren commented on PR #368:
URL: https://github.com/apache/commons-compress/pull/368#issuecomment-1471959528

   > How slow?
   
   ~3 min on my machine. So if you think that is acceptable I can add it.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [commons-compress] garydgregory commented on pull request #368: COMPRESS-642 Integer overflow ArithmeticException in TarArchiveOutputStream

Posted by "garydgregory (via GitHub)" <gi...@apache.org>.

garydgregory commented on PR #368:
URL: https://github.com/apache/commons-compress/pull/368#issuecomment-1472078346

   > > How slow?
   > 
   > ~3 min on my machine. So if you think that is acceptable I can add it.
   
   Add it but use `@Disabled` with a comment.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [commons-compress] garydgregory merged pull request #368: COMPRESS-642 Integer overflow ArithmeticException in TarArchiveOutputStream

Posted by "garydgregory (via GitHub)" <gi...@apache.org>.

garydgregory merged PR #368:
URL: https://github.com/apache/commons-compress/pull/368


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [commons-compress] klaren commented on pull request #368: COMPRESS-642 Integer overflow ArithmeticException in TarArchiveOutputStream

Posted by "klaren (via GitHub)" <gi...@apache.org>.

klaren commented on PR #368:
URL: https://github.com/apache/commons-compress/pull/368#issuecomment-1472158786

   @garydgregory I think that was all.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org