This is an automated email from the ASF dual-hosted git repository.
ggregory pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-compress.git
The following commit(s) were added to refs/heads/master by this push:
new 666e787 Address CodeQL issues in pack200/unpack200 packages.
666e787 is described below
commit 666e787a17e4e7321b70e99e55acf27b6382ab17
Author: Gary Gregory <[email protected]>
AuthorDate: Tue Feb 8 20:59:31 2022 -0500
Address CodeQL issues in pack200/unpack200 packages.
Throw ArithmeticExceptioninstead of silently overflowing.
---
.../compress/archivers/cpio/CpioArchiveEntry.java | 3 +-
.../compress/harmony/pack200/BHSDCodec.java | 6 ++-
.../compress/harmony/pack200/FileBands.java | 3 +-
.../commons/compress/harmony/pack200/RunCodec.java | 8 ++--
.../compress/harmony/unpack200/BandSet.java | 3 +-
.../apache/commons/compress/utils/ExactMath.java | 44 ++++++++++++++++++++++
6 files changed, 59 insertions(+), 8 deletions(-)
diff --git
a/src/main/java/org/apache/commons/compress/archivers/cpio/CpioArchiveEntry.java
b/src/main/java/org/apache/commons/compress/archivers/cpio/CpioArchiveEntry.java
index 57c77f5..5e5e7ad 100644
---
a/src/main/java/org/apache/commons/compress/archivers/cpio/CpioArchiveEntry.java
+++
b/src/main/java/org/apache/commons/compress/archivers/cpio/CpioArchiveEntry.java
@@ -30,6 +30,7 @@ import java.util.Objects;
import java.util.concurrent.TimeUnit;
import org.apache.commons.compress.archivers.ArchiveEntry;
+import org.apache.commons.compress.utils.ExactMath;
/**
* A cpio archive consists of a sequence of files. There are several types of
@@ -572,7 +573,7 @@ public class CpioArchiveEntry implements CpioConstants,
ArchiveEntry {
}
int size = this.headerSize + 1; // Name has terminating null
if (name != null) {
- size += nameSize;
+ size = ExactMath.add(size, nameSize);
}
final int remain = size % this.alignmentBoundary;
if (remain > 0) {
diff --git
a/src/main/java/org/apache/commons/compress/harmony/pack200/BHSDCodec.java
b/src/main/java/org/apache/commons/compress/harmony/pack200/BHSDCodec.java
index 8bd7020..5117481 100644
--- a/src/main/java/org/apache/commons/compress/harmony/pack200/BHSDCodec.java
+++ b/src/main/java/org/apache/commons/compress/harmony/pack200/BHSDCodec.java
@@ -22,6 +22,8 @@ import java.io.InputStream;
import java.util.ArrayList;
import java.util.List;
+import org.apache.commons.compress.utils.ExactMath;
+
/**
* A BHSD codec is a means of encoding integer values as a sequence of bytes
or vice versa using a specified "BHSD"
* encoding mechanism. It uses a variable-length encoding and a modified sign
representation such that small numbers are
@@ -243,7 +245,7 @@ public final class BHSDCodec extends Codec {
band[i] -= cardinality;
}
while (band[i] < smallest) {
- band[i] += cardinality;
+ band[i] = ExactMath.add(band[i], cardinality);
}
}
}
@@ -260,7 +262,7 @@ public final class BHSDCodec extends Codec {
band[i] -= cardinality;
}
while (band[i] < smallest) {
- band[i] += cardinality;
+ band[i] = ExactMath.add(band[i], cardinality);
}
}
}
diff --git
a/src/main/java/org/apache/commons/compress/harmony/pack200/FileBands.java
b/src/main/java/org/apache/commons/compress/harmony/pack200/FileBands.java
index 746b900..a394978 100644
--- a/src/main/java/org/apache/commons/compress/harmony/pack200/FileBands.java
+++ b/src/main/java/org/apache/commons/compress/harmony/pack200/FileBands.java
@@ -25,6 +25,7 @@ import java.util.TimeZone;
import org.apache.commons.compress.harmony.pack200.Archive.PackingFile;
import org.apache.commons.compress.harmony.pack200.Archive.SegmentUnit;
+import org.apache.commons.compress.utils.ExactMath;
import org.objectweb.asm.ClassReader;
/**
@@ -86,7 +87,7 @@ public class FileBands extends BandSet {
}
final byte[] bytes = packingFile.getContents();
file_size[i] = bytes.length;
- totalSize += file_size[i];
+ totalSize = ExactMath.add(totalSize, file_size[i]);
// update modification time
modtime = (packingFile.getModtime() +
TimeZone.getDefault().getRawOffset()) / 1000L;
diff --git
a/src/main/java/org/apache/commons/compress/harmony/pack200/RunCodec.java
b/src/main/java/org/apache/commons/compress/harmony/pack200/RunCodec.java
index 41a07c3..f14b822 100644
--- a/src/main/java/org/apache/commons/compress/harmony/pack200/RunCodec.java
+++ b/src/main/java/org/apache/commons/compress/harmony/pack200/RunCodec.java
@@ -20,6 +20,8 @@ import java.io.IOException;
import java.io.InputStream;
import java.util.Arrays;
+import org.apache.commons.compress.utils.ExactMath;
+
/**
* A run codec is a grouping of two nested codecs; K values are decoded from
the first codec, and the remaining codes
* are decoded from the remaining codec. Note that since this codec maintains
state, the instances are not reusable.
@@ -68,7 +70,7 @@ public class RunCodec extends Codec {
value -= cardinality;
}
while (value < bhsd.smallest()) {
- value += cardinality;
+ value = ExactMath.add(value, cardinality);
}
}
}
@@ -98,7 +100,7 @@ public class RunCodec extends Codec {
band[i] -= cardinality;
}
while (band[i] < bhsd.smallest()) {
- band[i] += cardinality;
+ band[i] = ExactMath.add(band[i], cardinality);
}
}
}
@@ -117,7 +119,7 @@ public class RunCodec extends Codec {
band[i] -= cardinality;
}
while (band[i] < bhsd.smallest()) {
- band[i] += cardinality;
+ band[i] = ExactMath.add(band[i], cardinality);
}
}
}
diff --git
a/src/main/java/org/apache/commons/compress/harmony/unpack200/BandSet.java
b/src/main/java/org/apache/commons/compress/harmony/unpack200/BandSet.java
index 5818623..55c26c0 100644
--- a/src/main/java/org/apache/commons/compress/harmony/unpack200/BandSet.java
+++ b/src/main/java/org/apache/commons/compress/harmony/unpack200/BandSet.java
@@ -36,6 +36,7 @@ import
org.apache.commons.compress.harmony.unpack200.bytecode.CPMethodRef;
import org.apache.commons.compress.harmony.unpack200.bytecode.CPNameAndType;
import org.apache.commons.compress.harmony.unpack200.bytecode.CPString;
import org.apache.commons.compress.harmony.unpack200.bytecode.CPUTF8;
+import org.apache.commons.compress.utils.ExactMath;
/**
* Abstract superclass for a set of bands
@@ -118,7 +119,7 @@ public abstract class BandSet {
band[i] -= cardinality;
}
while (band[i] < bhsd.smallest()) {
- band[i] += cardinality;
+ band[i] = ExactMath.add(band[i], cardinality);
}
}
}
diff --git a/src/main/java/org/apache/commons/compress/utils/ExactMath.java
b/src/main/java/org/apache/commons/compress/utils/ExactMath.java
new file mode 100644
index 0000000..860aa0d
--- /dev/null
+++ b/src/main/java/org/apache/commons/compress/utils/ExactMath.java
@@ -0,0 +1,44 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.commons.compress.utils;
+
+/**
+ * PRIVATE.
+ *
+ * Performs exact math through {@link Math} "exact" APIs.
+ */
+public class ExactMath {
+
+ private ExactMath() {
+ // no instances
+ }
+
+ /**
+ * Adds two values and throws an exception on overflow.
+ *
+ * @param intValue the first value.
+ * @param longValue the second value.
+ * @return addition of both values.
+ * @throws ArithmeticException when there is an overflow.
+ */
+ public static int add(final int intValue, final long longValue) {
+ return Math.addExact(intValue, Math.toIntExact(longValue));
+ }
+}
