Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
1.23.0
-
None
-
None
Description
The attached fuzzed zip file fails to open with the following test when the allowStoredEntriesWithDataDescriptor value is true.
@ParameterizedTest
@ValueSource(booleans = {true, false})
public void zipInputStream(final boolean allowStoredEntriesWithDataDescriptor) {
try (ZipArchiveInputStream zIn = new ZipArchiveInputStream(Files.newInputStream(Paths.get("crash-commons-compress-ZipArchiveInputStream-dataDescriptor")), "UTF-8", false, allowStoredEntriesWithDataDescriptor)) {
ZipArchiveEntry zae = zIn.getNextZipEntry();
while (zae != null) {
zae = zIn.getNextZipEntry();
}
} catch (IOException e) {
// Ignore expected exception
}
}
The exception is
java.lang.ArrayIndexOutOfBoundsException: arraycopy: source index -6 out of bounds for byte[512] at java.base/java.lang.System.arraycopy(Native Method) at java.base/java.io.PushbackInputStream.unread(PushbackInputStream.java:232) at org.apache.commons.compress.archivers.zip.ZipArchiveInputStream.pushback(ZipArchiveInputStream.java:979) at org.apache.commons.compress.archivers.zip.ZipArchiveInputStream.bufferContainsSignature(ZipArchiveInputStream.java:471) at org.apache.commons.compress.archivers.zip.ZipArchiveInputStream.readStoredEntry(ZipArchiveInputStream.java:1282) at org.apache.commons.compress.archivers.zip.ZipArchiveInputStream.readStored(ZipArchiveInputStream.java:1211) at org.apache.commons.compress.archivers.zip.ZipArchiveInputStream.read(ZipArchiveInputStream.java:1013) at org.apache.commons.compress.archivers.zip.ZipArchiveInputStream.skip(ZipArchiveInputStream.java:1343) at org.apache.commons.compress.archivers.zip.ZipArchiveInputStream.closeEntry(ZipArchiveInputStream.java:562) at org.apache.commons.compress.archivers.zip.ZipArchiveInputStream.getNextZipEntry(ZipArchiveInputStream.java:735) at org.apache.commons.compress.archivers.zip.ZipArchiveInputStreamTest.zipInputStream(ZipArchiveInputStreamTest.java:765)
I also tried to open the file with the ZipFile class and the crash does not occure there. Seems to only affect the stream implementation with that specific option.