You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@commons.apache.org by bo...@apache.org on 2021/05/14 15:50:59 UTC

[commons-compress] branch master updated (882c6dd -> de39b85)

This is an automated email from the ASF dual-hosted git repository.

bodewig pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/commons-compress.git.


    from 882c6dd  one more case where the JDK throwing RuntimeEx may hurt us
     new 190939b  handle integer overflow
     new 8046bd2  properly fulfill InputStream's contract
     new de39b85  COMPRESS-567 turn possible RuntimeExceptions into IOExceptions

The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 .../java/org/apache/commons/compress/archivers/tar/TarFile.java   | 8 ++++++--
 .../apache/commons/compress/utils/BoundedArchiveInputStream.java  | 3 +++
 src/main/java/org/apache/commons/compress/utils/IOUtils.java      | 2 +-
 3 files changed, 10 insertions(+), 3 deletions(-)

[commons-compress] 02/03: properly fulfill InputStream's contract

Posted by bo...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

bodewig pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-compress.git

commit 8046bd27c09651cfc6b5f153171a87ce48b009c7
Author: Stefan Bodewig <st...@innoq.com>
AuthorDate: Fri May 14 17:43:23 2021 +0200

    properly fulfill InputStream's contract
---
 .../org/apache/commons/compress/utils/BoundedArchiveInputStream.java   | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/main/java/org/apache/commons/compress/utils/BoundedArchiveInputStream.java b/src/main/java/org/apache/commons/compress/utils/BoundedArchiveInputStream.java
index db8d948..4f7ec27 100644
--- a/src/main/java/org/apache/commons/compress/utils/BoundedArchiveInputStream.java
+++ b/src/main/java/org/apache/commons/compress/utils/BoundedArchiveInputStream.java
@@ -70,6 +70,9 @@ public abstract class BoundedArchiveInputStream extends InputStream {
         if (len <= 0) {
             return 0;
         }
+        if (off < 0 || len > b.length - off) {
+            throw new IllegalArgumentException("offset or len are out of bounds");
+        }
 
         if (len > end - loc) {
             if (loc >= end) {

[commons-compress] 03/03: COMPRESS-567 turn possible RuntimeExceptions into IOExceptions

Posted by bo...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

bodewig pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-compress.git

commit de39b85b6d74031fb3a5c269d80be1f1253d1c91
Author: Stefan Bodewig <st...@innoq.com>
AuthorDate: Fri May 14 17:49:34 2021 +0200

    COMPRESS-567 turn possible RuntimeExceptions into IOExceptions
    
    Credit to OSS-Fuzz
---
 .../java/org/apache/commons/compress/archivers/tar/TarFile.java   | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/main/java/org/apache/commons/compress/archivers/tar/TarFile.java b/src/main/java/org/apache/commons/compress/archivers/tar/TarFile.java
index 8de9260..1c25ca8 100644
--- a/src/main/java/org/apache/commons/compress/archivers/tar/TarFile.java
+++ b/src/main/java/org/apache/commons/compress/archivers/tar/TarFile.java
@@ -633,8 +633,12 @@ public class TarFile implements Closeable {
      * @param entry Entry to get the input stream from
      * @return Input stream of the provided entry
      */
-    public InputStream getInputStream(final TarArchiveEntry entry) {
-        return new BoundedTarEntryInputStream(entry, archive);
+    public InputStream getInputStream(final TarArchiveEntry entry) throws IOException {
+        try {
+            return new BoundedTarEntryInputStream(entry, archive);
+        } catch (RuntimeException ex) {
+            throw new IOException("Corrupted TAR archive. Can't read entry", ex);
+        }
     }
 
     @Override

[commons-compress] 01/03: handle integer overflow

Posted by bo...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

bodewig pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-compress.git

commit 190939b04c566e3285b15c109ff69887ecba919d
Author: Stefan Bodewig <st...@innoq.com>
AuthorDate: Fri May 14 17:03:05 2021 +0200

    handle integer overflow
---
 src/main/java/org/apache/commons/compress/utils/IOUtils.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/org/apache/commons/compress/utils/IOUtils.java b/src/main/java/org/apache/commons/compress/utils/IOUtils.java
index 0b7df96..3587ced 100644
--- a/src/main/java/org/apache/commons/compress/utils/IOUtils.java
+++ b/src/main/java/org/apache/commons/compress/utils/IOUtils.java
@@ -189,7 +189,7 @@ public final class IOUtils {
      */
     public static int readFully(final InputStream input, final byte[] array, final int offset, final int len)
         throws IOException {
-        if (len < 0 || offset < 0 || len + offset > array.length) {
+        if (len < 0 || offset < 0 || len + offset > array.length || len + offset < 0) {
             throw new IndexOutOfBoundsException();
         }
         int count = 0, x = 0;