On Mon, 7 Oct 2024 09:13:57 GMT, Eirik Bjørsnøs <eir...@openjdk.org> wrote:
> Please review this PR which adds validation of the 'total entries' value when > fetched from the 'ZIP64 End of Central Directory' header. > > We should reject this value under the following conditions: > > 1. It is too large to fit within the specified CEN size (considering each CEN > header encodes as at least 46 bytes each) > 2. It is too large to create the `int[] entries` array safely (max value is > `ArraysSupport.SOFT_MAX_ARRAY_LENGTH / 3`) > > I claim that condition 2 here is already implicitly validated by the current > maximum CEN size validation. (A CEN encoding such a large number of entries > would exceed the maximum CEN size a lot and would already be rejected) > > This change aims to protect the integrity of the implementation against > specially crafted ZIP files. No sane ZIP tool will produce such files. > > Testing: > > This PR adds a test `EndOfCenValidation.shouldRejectBadTotalEntries` which > exercises the first condition above. > > ZIP tests run locally. GHA results pending. This pull request has now been integrated. Changeset: 950e3a75 Author: Eirik Bjørsnøs <eir...@openjdk.org> URL: https://git.openjdk.org/jdk/commit/950e3a7587ed3269aab0c3b6625b9cc9149d34d8 Stats: 152 lines in 2 files changed: 135 ins; 0 del; 17 mod 8341625: Improve ZipFile validation of the END header Reviewed-by: lancea ------------- PR: https://git.openjdk.org/jdk/pull/21384
