RFR: 8303866: Allow ZipInputStream.readEnd to parse small Zip64 ZIP files [v2]

Lance Andersen lancea at openjdk.org
Tue Apr 18 18:22:04 UTC 2023 

On Wed, 29 Mar 2023 10:48:57 GMT, Eirik Bjorsnos <duke at openjdk.org> wrote:

>> ZipInputStream.readEnd currently assumes a Zip64 data descriptor if the number of compressed or uncompressed bytes read from the inflater is larger than the Zip64 magic value.
>> 
>> While the ZIP format  mandates that the data descriptor `SHOULD be stored in ZIP64 format (as 8 byte values) when a file's size exceeds 0xFFFFFFFF`, it also states that `ZIP64 format MAY be used regardless of the size of a file`. For such small entries, the above assumption does not hold.
>> 
>> This PR augments ZipInputStream.readEnd to also assume 8-byte sizes if the ZipEntry includes a Zip64 extra information field. This brings ZipInputStream into alignment with the APPNOTE format spec:
>> 
>> 
>> When extracting, if the zip64 extended information extra 
>> field is present for the file the compressed and 
>> uncompressed sizes will be 8 byte values.
>> 
>> 
>> While small Zip64 files with 8-byte data descriptors are not commonly found in the wild, it is possible to create one using the Info-ZIP command line `-fd` flag:
>> 
>> `echo hello | zip -fd > hello.zip`
>> 
>> The PR also adds a test verifying that such a small Zip64 file can be parsed by ZipInputStream.
>
> Eirik Bjorsnos has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Use block comments instead of javadoc comments to avoid doclint warnings

> Mark Thomas of Apache chimed in on the JBS to say that this limitation of ZipInputStream is affecting Tomcat migration tooling:
> 
> > This bug is affecting the library Apache Tomcat uses to automatically migrate web applications from Java EE to Jakarta EE.
> > [apache/tomcat-jakartaee-migration#46](https://github.com/apache/tomcat-jakartaee-migration/issues/46)

It would be useful to obtain the zip/jar in question to validate that your proposed patch addresses the issue as well as verifying if ZipfFile can be used to process the zip/jar as reading the long thread appears that ZipFile:getInputStream is fine.

Do you know how the Zip in question is being created, is it via ApacheCommons and could there be an issue there?

-------------

PR Comment: https://git.openjdk.org/jdk/pull/12524#issuecomment-1513610001

More information about the core-libs-dev mailing list