This is an automated email from the ASF dual-hosted git repository. bodewig pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/commons-compress.git
commit 30ff58d0f120b01e74db83eaee9f819fcf840843 Author: Stefan Bodewig <[email protected]> AuthorDate: Sat May 1 15:43:37 2021 +0200 COMPRESS-567 overlooked a RuntimeException in BoundedArchiveInputStream unfortunately I cannot change the signature of BoundedArchiveInputStream's constructor as the way it is used in ZipFile doesn't allow it to throw an IOException without breaking backwards compatibility of ZipFile#getRawInputStream --- src/main/java/org/apache/commons/compress/archivers/tar/TarFile.java | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/main/java/org/apache/commons/compress/archivers/tar/TarFile.java b/src/main/java/org/apache/commons/compress/archivers/tar/TarFile.java index 2ba4ee2..378d4a5 100644 --- a/src/main/java/org/apache/commons/compress/archivers/tar/TarFile.java +++ b/src/main/java/org/apache/commons/compress/archivers/tar/TarFile.java @@ -359,6 +359,10 @@ public class TarFile implements Closeable { if (sparseHeader.getNumbytes() > 0) { final long start = currEntry.getDataOffset() + sparseHeader.getOffset() - numberOfZeroBytesInSparseEntry; + if (start + sparseHeader.getNumbytes() < start) { + // possible integer overflow + throw new IOException("Unreadable TAR archive, sparse block offset or length too big"); + } streams.add(new BoundedSeekableByteChannelInputStream(start, sparseHeader.getNumbytes(), archive)); }
