On Mon, 7 Oct 2024 19:54:15 GMT, Eirik Bjørsnøs <eir...@openjdk.org> wrote:
>> Please review this PR which adds validation of the 'total entries' value >> when fetched from the 'ZIP64 End of Central Directory' header. >> >> We should reject this value under the following conditions: >> >> 1. It is too large to fit within the specified CEN size (considering each >> CEN header encodes as at least 46 bytes each) >> 2. It is too large to create the `int[] entries` array safely (max value is >> `ArraysSupport.SOFT_MAX_ARRAY_LENGTH / 3`) >> >> I claim that condition 2 here is already implicitly validated by the current >> maximum CEN size validation. (A CEN encoding such a large number of entries >> would exceed the maximum CEN size a lot and would already be rejected) >> >> This change aims to protect the integrity of the implementation against >> specially crafted ZIP files. No sane ZIP tool will produce such files. >> >> Testing: >> >> This PR adds a test `EndOfCenValidation.shouldRejectBadTotalEntries` which >> exercises the first condition above. >> >> ZIP tests run locally. GHA results pending. > > Eirik Bjørsnøs has updated the pull request incrementally with two additional > commits since the last revision: > > - Remove trailing whitespace > - Use a ZIP64 test vector which may be reproduced using InfoZIP Marked as reviewed by lancea (Reviewer). ------------- PR Review: https://git.openjdk.org/jdk/pull/21384#pullrequestreview-2352826338
