You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by pe...@apache.org on 2020/09/02 13:02:11 UTC
[commons-compress] branch master updated: COMPRESS-547 : add
asserts for Arrays.copyOf
This is an automated email from the ASF dual-hosted git repository.
peterlee pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-compress.git
The following commit(s) were added to refs/heads/master by this push:
new 4eb3bbe COMPRESS-547 : add asserts for Arrays.copyOf
4eb3bbe is described below
commit 4eb3bbe8e95f5e3b6388b1e8db28b862cc712294
Author: PeterAlfredLee <pe...@gmail.com>
AuthorDate: Wed Sep 2 20:54:46 2020 +0800
COMPRESS-547 : add asserts for Arrays.copyOf
Add asserts for Arrays.copyOf in X0017_StrongEncryptionHeader.
---
src/changes/changes.xml | 4 ++++
.../commons/compress/archivers/zip/X0017_StrongEncryptionHeader.java | 4 ++++
2 files changed, 8 insertions(+)
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index c10d9d7..2fdb039 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -222,6 +222,10 @@ The <action> type attribute can be add,update,fix,remove.
Throw an decleared IOException if a null entry is met when
reading a global pax header instead of a runtime NPE.
</action>
+ <action issue="COMPRESS-547" type="fix" date="2020-09-02"
+ due-to="Maksim Zuev" dev="PeterLee">
+ Add asserts for Arrays.copyOf in X0017_StrongEncryptionHeader.
+ </action>
</release>
<release version="1.20" date="2020-02-08"
description="Release 1.20 (Java 7)">
diff --git a/src/main/java/org/apache/commons/compress/archivers/zip/X0017_StrongEncryptionHeader.java b/src/main/java/org/apache/commons/compress/archivers/zip/X0017_StrongEncryptionHeader.java
index 9e27771..e1a5ebe 100644
--- a/src/main/java/org/apache/commons/compress/archivers/zip/X0017_StrongEncryptionHeader.java
+++ b/src/main/java/org/apache/commons/compress/archivers/zip/X0017_StrongEncryptionHeader.java
@@ -341,6 +341,7 @@ public class X0017_StrongEncryptionHeader extends PKWareExtraHeader {
assertMinimalLength(4, length);
final int ivSize = ZipShort.getValue(data, offset);
assertDynamicLengthFits("ivSize", ivSize, 4, length);
+ assertMinimalLength(offset + 4, ivSize);
// TODO: what is at offset + 2?
this.ivData = Arrays.copyOfRange(data, offset + 4, ivSize);
@@ -353,6 +354,7 @@ public class X0017_StrongEncryptionHeader extends PKWareExtraHeader {
final int erdSize = ZipShort.getValue(data, offset + ivSize + 14);
assertDynamicLengthFits("erdSize", erdSize, ivSize + 16, length);
+ assertMinimalLength(offset + ivSize + 16, erdSize);
this.erdData = Arrays.copyOfRange(data, offset + ivSize + 16, erdSize);
assertMinimalLength(16 + 4 + ivSize + erdSize, length);
@@ -365,7 +367,9 @@ public class X0017_StrongEncryptionHeader extends PKWareExtraHeader {
throw new ZipException("Invalid X0017_StrongEncryptionHeader: vSize " + vSize
+ " is too small to hold CRC");
}
+ assertMinimalLength(offset + ivSize + 22 + erdSize, vSize - 4);
this.vData = Arrays.copyOfRange(data, offset + ivSize + 22 + erdSize, vSize - 4);
+ assertMinimalLength(offset + ivSize + 22 + erdSize + vSize - 4, 4);
this.vCRC32 = Arrays.copyOfRange(data, offset + ivSize + 22 + erdSize + vSize - 4, 4);
} else {
assertMinimalLength(ivSize + 20 + erdSize + 6, length); // up to and including resize