[commons-compress] branch master updated: Address CodeQL issues in pack200/unpack200 packages.

ggregory Tue, 08 Feb 2022 18:15:31 -0800

This is an automated email from the ASF dual-hosted git repository.

ggregory pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-compress.git



The following commit(s) were added to refs/heads/master by this push:
     new e03b342  Address CodeQL issues in pack200/unpack200 packages.
e03b342 is described below

commit e03b342b1a514bb5dfed656c5711003e21c93353
Author: Gary Gregory <garydgreg...@gmail.com>
AuthorDate: Tue Feb 8 21:15:23 2022 -0500

    Address CodeQL issues in pack200/unpack200 packages.
    
    Throw ArithmeticExceptioninstead of silently overflowing.
---
 .../compress/archivers/dump/TapeInputStream.java        |  3 ++-
 .../compress/archivers/tar/TarArchiveOutputStream.java  |  4 +++-
 .../compress/archivers/zip/ExplodingInputStream.java    |  3 ++-
 .../compress/compressors/deflate64/HuffmanDecoder.java  | 17 +++++++++--------
 .../org/apache/commons/compress/utils/ExactMath.java    |  9 +++++----
 5 files changed, 21 insertions(+), 15 deletions(-)

diff --git 
a/src/main/java/org/apache/commons/compress/archivers/dump/TapeInputStream.java 
b/src/main/java/org/apache/commons/compress/archivers/dump/TapeInputStream.java
index 006953f..8585a17 100644
--- 
a/src/main/java/org/apache/commons/compress/archivers/dump/TapeInputStream.java
+++ 
b/src/main/java/org/apache/commons/compress/archivers/dump/TapeInputStream.java
@@ -26,6 +26,7 @@ import java.util.Arrays;
 import java.util.zip.DataFormatException;
 import java.util.zip.Inflater;
 
+import org.apache.commons.compress.utils.ExactMath;
 import org.apache.commons.compress.utils.IOUtils;
 
 /**
@@ -205,7 +206,7 @@ class TapeInputStream extends FilterInputStream {
             }
 
             // do not copy data but still increment counters.
-            readOffset += n;
+            readOffset = ExactMath.add(readOffset, n);
             bytes += n;
         }
 
diff --git 
a/src/main/java/org/apache/commons/compress/archivers/tar/TarArchiveOutputStream.java
 
b/src/main/java/org/apache/commons/compress/archivers/tar/TarArchiveOutputStream.java
index 18744c9..0f49490 100644
--- 
a/src/main/java/org/apache/commons/compress/archivers/tar/TarArchiveOutputStream.java
+++ 
b/src/main/java/org/apache/commons/compress/archivers/tar/TarArchiveOutputStream.java
@@ -35,6 +35,7 @@ import 
org.apache.commons.compress.archivers.ArchiveOutputStream;
 import org.apache.commons.compress.archivers.zip.ZipEncoding;
 import org.apache.commons.compress.archivers.zip.ZipEncodingHelper;
 import org.apache.commons.compress.utils.CountingOutputStream;
+import org.apache.commons.compress.utils.ExactMath;
 import org.apache.commons.compress.utils.FixedLengthBlockOutputStream;
 
 import static java.nio.charset.StandardCharsets.*;
@@ -432,7 +433,8 @@ public class TarArchiveOutputStream extends 
ArchiveOutputStream {
                 + "' before the '" + currSize
                 + "' bytes specified in the header were written");
         }
-        recordsWritten += (currSize / RECORD_SIZE);
+        recordsWritten = ExactMath.add(recordsWritten, (currSize / 
RECORD_SIZE));
+
         if (0 != currSize % RECORD_SIZE) {
             recordsWritten++;
         }
diff --git 
a/src/main/java/org/apache/commons/compress/archivers/zip/ExplodingInputStream.java
 
b/src/main/java/org/apache/commons/compress/archivers/zip/ExplodingInputStream.java
index 0886939..389d35f 100644
--- 
a/src/main/java/org/apache/commons/compress/archivers/zip/ExplodingInputStream.java
+++ 
b/src/main/java/org/apache/commons/compress/archivers/zip/ExplodingInputStream.java
@@ -24,6 +24,7 @@ import java.io.InputStream;
 
 import org.apache.commons.compress.utils.CloseShieldFilterInputStream;
 import org.apache.commons.compress.utils.CountingInputStream;
+import org.apache.commons.compress.utils.ExactMath;
 import org.apache.commons.compress.utils.InputStreamStatistics;
 
 /**
@@ -200,7 +201,7 @@ class ExplodingInputStream extends InputStream implements 
InputStreamStatistics
                     // EOF
                     return;
                 }
-                length += nextByte;
+                length = ExactMath.add(length, nextByte);
             }
             length += minimumMatchLength;
 
diff --git 
a/src/main/java/org/apache/commons/compress/compressors/deflate64/HuffmanDecoder.java
 
b/src/main/java/org/apache/commons/compress/compressors/deflate64/HuffmanDecoder.java
index 65daec7..41eb834 100644
--- 
a/src/main/java/org/apache/commons/compress/compressors/deflate64/HuffmanDecoder.java
+++ 
b/src/main/java/org/apache/commons/compress/compressors/deflate64/HuffmanDecoder.java
@@ -17,8 +17,10 @@
  */
 package org.apache.commons.compress.compressors.deflate64;
 
-import org.apache.commons.compress.utils.BitInputStream;
-import org.apache.commons.compress.utils.ByteUtils;
+import static 
org.apache.commons.compress.compressors.deflate64.HuffmanState.DYNAMIC_CODES;
+import static 
org.apache.commons.compress.compressors.deflate64.HuffmanState.FIXED_CODES;
+import static 
org.apache.commons.compress.compressors.deflate64.HuffmanState.INITIAL;
+import static 
org.apache.commons.compress.compressors.deflate64.HuffmanState.STORED;
 
 import java.io.Closeable;
 import java.io.EOFException;
@@ -27,10 +29,9 @@ import java.io.InputStream;
 import java.nio.ByteOrder;
 import java.util.Arrays;
 
-import static 
org.apache.commons.compress.compressors.deflate64.HuffmanState.DYNAMIC_CODES;
-import static 
org.apache.commons.compress.compressors.deflate64.HuffmanState.FIXED_CODES;
-import static 
org.apache.commons.compress.compressors.deflate64.HuffmanState.INITIAL;
-import static 
org.apache.commons.compress.compressors.deflate64.HuffmanState.STORED;
+import org.apache.commons.compress.utils.BitInputStream;
+import org.apache.commons.compress.utils.ByteUtils;
+import org.apache.commons.compress.utils.ExactMath;
 
 class HuffmanDecoder implements Closeable {
 
@@ -325,14 +326,14 @@ class HuffmanDecoder implements Closeable {
                     final int runMask = RUN_LENGTH_TABLE[symbol - 257];
                     int run = runMask >>> 5;
                     final int runXtra = runMask & 0x1F;
-                    run += readBits(runXtra);
+                    run = ExactMath.add(run, readBits(runXtra));
 
                     final int distSym = nextSymbol(reader, distanceTree);
 
                     final int distMask = DISTANCE_TABLE[distSym];
                     int dist = distMask >>> 4;
                     final int distXtra = distMask & 0xF;
-                    dist += readBits(distXtra);
+                    dist = ExactMath.add(dist, readBits(distXtra));
 
                     if (runBuffer.length < run) {
                         runBuffer = new byte[run];
diff --git a/src/main/java/org/apache/commons/compress/utils/ExactMath.java 
b/src/main/java/org/apache/commons/compress/utils/ExactMath.java
index 860aa0d..a01d835 100644
--- a/src/main/java/org/apache/commons/compress/utils/ExactMath.java
+++ b/src/main/java/org/apache/commons/compress/utils/ExactMath.java
@@ -33,12 +33,13 @@ public class ExactMath {
     /**
      * Adds two values and throws an exception on overflow.
      *
-     * @param intValue the first value.
-     * @param longValue the second value.
+     * @param x the first value.
+     * @param y the second value.
      * @return addition of both values.
      * @throws ArithmeticException when there is an overflow.
      */
-    public static int add(final int intValue, final long longValue) {
-        return Math.addExact(intValue, Math.toIntExact(longValue));
+    public static int add(final int x, final long y) {
+        return Math.addExact(x, Math.toIntExact(y));
     }
+
 }

[commons-compress] branch master updated: Address CodeQL issues in pack200/unpack200 packages.

Reply via email to