Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8056934

ZipInputStream does not correctly handle local header data descriptors with the optional signature missing

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P2
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 9
    • Component/s: core-libs
    • Labels:
      None
    • Subcomponent:
    • Resolved In Build:
      b32
    • CPU:
      generic
    • OS:
      generic
    • Verification:
      Verified

      Backports

        Description

        A zip file local header may be optionally followed by a "data descriptor", and that may optionally include a signature. ZipInputStream has code to handle the situation when the optional signature is missing, but it is buggy - off-by-one.

        webrev: http://cr.openjdk.java.net/~martin/webrevs/openjdk9/zip-DataDescriptorSignatureMissing/

            /*
             * Local headers for DEFLATED entries may optionally be followed by a
             * data descriptor, and that data descriptor may optionally contain a
             * leading signature (EXTSIG).
             *
             * From the zip spec http://www.pkware.com/documents/casestudies/APPNOTE.TXT
             *
             * """Although not originally assigned a signature, the value 0x08074b50
             * has commonly been adopted as a signature value for the data descriptor
             * record. Implementers should be aware that ZIP files may be
             * encountered with or without this signature marking data descriptors
             * and should account for either case when reading ZIP files to ensure
             * compatibility."""
             *
             * As of 2014-08, python's zipfile implementation does not include the
             * optional signature, but other implementations (including openjdk) do.
             *
             * ZipFile.writestr writes incorrect extended local headers
             * http://bugs.python.org/issue1742205
             */

          Attachments

            Issue Links

              Activity

                People

                Assignee:
                martin Martin Buchholz
                Reporter:
                martin Martin Buchholz
                Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved: