RFR: 8272746: ZipFile can't open big file (NegativeArraySizeException)

[Alan Bateman]

On Thu, 23 Dec 2021 10:55:08 GMT, Masanori Yano <myano at openjdk.org> wrote:

> Could you please review the JDK-8272746 bug fixes?
> Since the array index is of type int, the overflow occurs when the value of end.cenlen is too large because of too many entries.
> It is necessary to read a part of the CEN from the file to fix the problem fundamentally, but the way will require an extensive fix and degrade performance.
> In practical terms, the size of the central directory rarely grows that large. So, I fixed it to check the size of the central directory and throw an exception if it is too large.

src/java.base/share/classes/java/util/zip/ZipFile.java line 1501:

> 1499:                 // read in the CEN and END
> 1500:                 if (end.cenlen + ENDHDR >= Integer.MAX_VALUE) {
> 1501:                     zerror("invalid END header (too large central directory size)");

This check looks correct. It might be a bit clearer to say that "central directory size too large" rather than "too large central directory size".

The bug report says that JDK 8 and the native zip handle these zip files, were you able to check that?

-------------

PR: https://git.openjdk.java.net/jdk/pull/6927