Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8079841

Buffer underflow with empty zip entry names

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: P3
    • Resolution: Fixed
    • Affects Version/s: 8u25
    • Fix Version/s: 9
    • Component/s: core-libs
    • Labels:
      None

      Backports

        Description

        zip_entry.c has a buffer underflow when a zip entry name is 0-length. It unilaterally checks for a slash at the end of the name, and if the name is empty, it checks at offset -1. Fix:


        --- a/src/java.base/share/native/libzip/zip_util.c Thu May 07 10:19:34 2015 -0700
        +++ b/src/java.base/share/native/libzip/zip_util.c Fri May 08 10:52:58 2015 -0700
        @@ -1206,7 +1206,7 @@
                 }
         
                 /* Slash is already there? */
        - if (name[ulen-1] == '/') {
        + if (ulen > 0 && name[ulen - 1] == '/') {
                     break;
                 }

          Attachments

            Issue Links

              Activity

                People

                Assignee:
                jmanson Jeremy Manson
                Reporter:
                jmanson Jeremy Manson
                Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved: