8340553: ZipEntry field validation does not take into account the size of a CEN header

Reviewed-by: jpai, redestad, eirbjo
2025-08-26 14:24:46 +02:00 · 2024-10-21 15:34:27 +00:00 · 2024-10-21 15:34:27 +00:00 · 54a744b023
commit 54a744b023
parent 18b55ceaa4
4 changed files with 236 additions and 195 deletions
--- a/src/java.base/share/classes/java/util/zip/ZipEntry.java
+++ b/src/java.base/share/classes/java/util/zip/ZipEntry.java
@ -91,7 +91,10 @@ public class ZipEntry implements ZipConstants, Cloneable {
     */
    private static final long UPPER_DOSTIME_BOUND =
            128L * 365 * 24 * 60 * 60 * 1000;
-
+    // CEN header size + name length + comment length + extra length
+    // should not exceed 65,535 bytes per the PKWare APP.NOTE
+    // 4.4.10, 4.4.11, & 4.4.12.
+    private static final int MAX_COMBINED_CEN_HEADER_SIZE = 0xFFFF;
    /**
     * Creates a new ZIP entry with the specified name.
     *
@ -99,12 +102,12 @@ public class ZipEntry implements ZipConstants, Cloneable {
     *         The entry name
     *
     * @throws NullPointerException if the entry name is null
-     * @throws IllegalArgumentException if the entry name is longer than
-     *         0xFFFF bytes
+     * @throws IllegalArgumentException if the combined length of the entry name
+     * and the {@linkplain #CENHDR CEN Header size} exceeds 65,535 bytes.
     */
    public ZipEntry(String name) {
        Objects.requireNonNull(name, "name");
-        if (name.length() > 0xFFFF) {
+        if (!isCENHeaderValid(name, null, null)) {
            throw new IllegalArgumentException("entry name too long");
        }
        this.name = name;
@ -519,8 +522,10 @@ public class ZipEntry implements ZipConstants, Cloneable {
     * @param  extra
     *         The extra field data bytes
     *
-     * @throws IllegalArgumentException if the length of the specified
-     *         extra field data is greater than 0xFFFF bytes
+     * @throws IllegalArgumentException if the combined length of the specified
+     * extra field data, the {@linkplain #getName() entry name},
+     * the {@linkplain #getComment() entry comment}, and the
+     * {@linkplain #CENHDR CEN Header size} exceeds 65,535 bytes.
     *
     * @see #getExtra()
     */
@ -541,7 +546,7 @@ public class ZipEntry implements ZipConstants, Cloneable {
     */
    void setExtra0(byte[] extra, boolean doZIP64, boolean isLOC) {
        if (extra != null) {
-            if (extra.length > 0xFFFF) {
+            if (!isCENHeaderValid(name, extra, comment)) {
                throw new IllegalArgumentException("invalid extra field length");
            }
            // extra fields are in "HeaderID(2)DataSize(2)Data... format
@ -642,16 +647,19 @@ public class ZipEntry implements ZipConstants, Cloneable {

    /**
     * Sets the optional comment string for the entry.
-     *
-     * <p>ZIP entry comments have maximum length of 0xffff. If the length of the
-     * specified comment string is greater than 0xFFFF bytes after encoding, only
-     * the first 0xFFFF bytes are output to the ZIP file entry.
-     *
     * @param comment the comment string
-     *
+     * @throws IllegalArgumentException if the combined length
+     * of the specified entry comment, the {@linkplain #getName() entry name},
+     * the {@linkplain #getExtra() extra field data}, and the
+     * {@linkplain #CENHDR CEN Header size} exceeds 65,535 bytes.
     * @see #getComment()
     */
    public void setComment(String comment) {
+        if (comment != null) {
+            if (!isCENHeaderValid(name, extra, comment)) {
+                throw new IllegalArgumentException("entry comment too long");
+            }
+        }
        this.comment = comment;
    }

@ -702,4 +710,22 @@ public class ZipEntry implements ZipConstants, Cloneable {
            throw new InternalError(e);
        }
    }
+
+    /**
+     * Initial validation that the CEN header size + name length + comment length
+     * + extra length do not exceed 65,535 bytes per the PKWare APP.NOTE
+     * 4.4.10, 4.4.11, & 4.4.12.   Prior to writing out the CEN Header,
+     * ZipOutputStream::writeCEN will do an additional validation  of the combined
+     * length of the fields after encoding the name and comment to a byte array.
+     * @param name Zip entry name
+     * @param extra Zip extra data
+     * @param comment Zip entry comment
+     * @return true if valid CEN Header size; false otherwise
+     */
+     static boolean isCENHeaderValid(String name, byte[] extra, String comment) {
+        int clen = comment == null ? 0 : comment.length();
+        int elen = extra == null ? 0 : extra.length;
+        long headerSize = (long)CENHDR + name.length() + clen + elen;
+        return headerSize <= MAX_COMBINED_CEN_HEADER_SIZE;
+    }
 }
--- a/src/java.base/share/classes/java/util/zip/ZipOutputStream.java
+++ b/src/java.base/share/classes/java/util/zip/ZipOutputStream.java
@ -32,6 +32,7 @@ import java.util.Objects;
 import java.util.Vector;
 import java.util.HashSet;
 import static java.util.zip.ZipConstants64.*;
+import static java.util.zip.ZipEntry.isCENHeaderValid;
 import static java.util.zip.ZipUtils.*;
 import sun.nio.cs.UTF_8;
 import sun.security.action.GetBooleanAction;
@ -262,6 +263,12 @@ public class ZipOutputStream extends DeflaterOutputStream implements ZipConstant
        }
        if (zc.isUTF8())
            e.flag |= USE_UTF8;
+        // CEN header size + name length + comment length + extra length
+        // should not exceed 65,535 bytes per the PKWare APP.NOTE
+        // 4.4.10, 4.4.11, & 4.4.12.
+        if (!isCENHeaderValid(e.name, e.extra, e.comment) ) {
+            throw new ZipException("invalid CEN header (bad header size)");
+        }
        current = new XEntry(e, written);
        xentries.add(current);
        writeLOC(current);
@ -602,6 +609,22 @@ public class ZipOutputStream extends DeflaterOutputStream implements ZipConstant
        if (hasZip64) {
            elen += (elenZIP64 + 4);// + headid(2) + datasize(2)
        }
+
+        int clen = 0;
+        byte[] commentBytes = null;
+        if (e.comment != null) {
+            commentBytes = zc.getBytes(e.comment);
+            clen = commentBytes.length;
+        }
+
+        // CEN header size + name length + comment length + extra length
+        // should not exceed 65,535 bytes per the PKWare APP.NOTE
+        // 4.4.10, 4.4.11, & 4.4.12.
+        long headerSize = (long)CENHDR + nlen + clen + elen;
+        if (headerSize > 0xFFFF ) {
+            throw new ZipException("invalid CEN header (bad header size)");
+        }
+
        // cen info-zip extended timestamp only outputs mtime
        // but set the flag for a/ctime, if present in loc
        int flagEXTT = 0;
@ -633,12 +656,6 @@ public class ZipOutputStream extends DeflaterOutputStream implements ZipConstant
            }
        }
        writeShort(elen);
-        byte[] commentBytes = null;
-        int clen = 0;
-        if (e.comment != null) {
-            commentBytes = zc.getBytes(e.comment);
-            clen = Math.min(commentBytes.length, 0xffff);
-        }
        writeShort(clen);              // file comment length
        writeShort(0);              // starting disk number
        writeShort(0);              // internal file attributes (unused)
@ -686,13 +703,6 @@ public class ZipOutputStream extends DeflaterOutputStream implements ZipConstant
            }
        }

-        // CEN header size + name length + comment length + extra length
-        // should not exceed 65,535 bytes per the PKWare APP.NOTE
-        // 4.4.10, 4.4.11, & 4.4.12.
-        long headerSize = (long)CENHDR + nlen + clen + elen;
-        if (headerSize > 0xFFFF ) {
-            throw new ZipException("invalid CEN header (bad header size)");
-        }
        writeExtra(e.extra);
        if (commentBytes != null) {
            writeBytes(commentBytes, 0, clen);