This is an automated email from the ASF dual-hosted git repository.
ggregory pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-compress.git
The following commit(s) were added to refs/heads/master by this push:
new ba415833d COMPRESS-632: Check for invalid PAX values in
TarArchiveEntry (#438)
ba415833d is described below
commit ba415833dcbcddabf7e47d6e2ecfa5c602ac1560
Author: Yakov Shafranovich <yako...@users.noreply.github.com>
AuthorDate: Tue Nov 14 08:54:30 2023 -0500
COMPRESS-632: Check for invalid PAX values in TarArchiveEntry (#438)
* Added check for invalid Instant values when parsing PAX headers in
TarArchiveEntry
* updated TarArchiveEntry
* Better internal comment
---------
Co-authored-by: Yakov Shafranovich <yako...@amazon.com>
Co-authored-by: Gary Gregory <garydgreg...@users.noreply.github.com>
---
.../apache/commons/compress/archivers/tar/TarArchiveEntry.java | 9 ++++++++-
.../commons/compress/archivers/tar/TarArchiveEntryTest.java | 5 ++++-
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git
a/src/main/java/org/apache/commons/compress/archivers/tar/TarArchiveEntry.java
b/src/main/java/org/apache/commons/compress/archivers/tar/TarArchiveEntry.java
index 360f9407a..13ab998a6 100644
---
a/src/main/java/org/apache/commons/compress/archivers/tar/TarArchiveEntry.java
+++
b/src/main/java/org/apache/commons/compress/archivers/tar/TarArchiveEntry.java
@@ -30,6 +30,7 @@ import java.nio.file.attribute.BasicFileAttributes;
import java.nio.file.attribute.DosFileAttributes;
import java.nio.file.attribute.FileTime;
import java.nio.file.attribute.PosixFileAttributes;
+import java.time.DateTimeException;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Collections;
@@ -286,7 +287,13 @@ public class TarArchiveEntry implements ArchiveEntry,
TarConstants, EntryStreamO
final BigDecimal epochSeconds = new BigDecimal(value);
final long seconds = epochSeconds.longValue();
final long nanos =
epochSeconds.remainder(BigDecimal.ONE).movePointRight(9).longValue();
- return Instant.ofEpochSecond(seconds, nanos);
+ try {
+ return Instant.ofEpochSecond(seconds, nanos);
+ } catch (DateTimeException | ArithmeticException e) {
+ // DateTimeException: Thrown if the instant exceeds the maximum or
minimum instant.
+ // ArithmeticException: Thrown if numeric overflow occurs.
+ throw new IOException("Corrupted PAX header. Time field value is
invalid '" + value + "'", e);
+ }
}
/** The entry's name. */
diff --git
a/src/test/java/org/apache/commons/compress/archivers/tar/TarArchiveEntryTest.java
b/src/test/java/org/apache/commons/compress/archivers/tar/TarArchiveEntryTest.java
index 2e36fc513..3d3e9e944 100644
---
a/src/test/java/org/apache/commons/compress/archivers/tar/TarArchiveEntryTest.java
+++
b/src/test/java/org/apache/commons/compress/archivers/tar/TarArchiveEntryTest.java
@@ -263,7 +263,10 @@ public class TarArchiveEntryTest implements TarConstants {
Collections.nCopies(15000,
String.valueOf(Long.MAX_VALUE))),
// These two examples use the exponent notation
"9e9999999",
- "9E9999999"
+ "9E9999999",
+ // These examples are out of range for java.time.Instant
+ String.valueOf(Long.MAX_VALUE),
+ String.valueOf(Long.MIN_VALUE)
};
// @formatter:on
