RFR: 8303866: Allow ZipInputStream.readEnd to parse small Zip64 ZIP files [v16]

Eirik Bjørsnøs eirbjo at openjdk.org
Mon Feb 5 13:14:39 UTC 2024 

> ZipInputStream.readEnd currently assumes a Zip64 data descriptor if the number of compressed or uncompressed bytes read from the inflater is larger than the Zip64 magic value.
> 
> While the ZIP format  mandates that the data descriptor `SHOULD be stored in ZIP64 format (as 8 byte values) when a file's size exceeds 0xFFFFFFFF`, it also states that `ZIP64 format MAY be used regardless of the size of a file`. For such small entries, the above assumption does not hold.
> 
> This PR augments ZipInputStream.readEnd to also assume 8-byte sizes if the ZipEntry includes a Zip64 extra information field AND at least one of the 'compressed size' and 'uncompressed size' have the expected Zip64 "magic" value 0xFFFFFFFF. This brings ZipInputStream into alignment with the APPNOTE format spec:
> 
> 
> When extracting, if the zip64 extended information extra 
> field is present for the file the compressed and 
> uncompressed sizes will be 8 byte values.
> 
> 
> While small Zip64 files with 8-byte data descriptors are not commonly found in the wild, it is possible to create one using the Info-ZIP command line `-fd` flag:
> 
> `echo hello | zip -fd > hello.zip`
> 
> The PR also adds a test verifying that such a small Zip64 file can be parsed by ZipInputStream.

Eirik Bjørsnøs has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains 230 commits:

 - Update readZipInputStream to verify that the ZipInputStream finds a single zip entry with the expected contents
 - Merge branch 'master' into data-descriptor
 - Merge branch 'master' into data-descriptor
 - Update comment of expect64BitDataDescriptor to reflect relaxed validation
 - Dial down validation of the Zip64 extra field
 - 8321712: C2: "failed: Multiple uses of register" in C2_MacroAssembler::vminmax_fp
   
   Co-authored-by: Volodymyr Paprotski <vpaprotski at openjdk.org>
   Reviewed-by: kvn, thartmann, epeter, jbhateja
 - 8319128: sun/security/pkcs11 tests fail on OL 7.9 aarch64
   
   Reviewed-by: mbaesken
 - 8322971: KEM.getInstance() should check if a 3rd-party security provider is signed
   
   Reviewed-by: mullan, valeriep
 - 8320890: [AIX] Find a better way to mimic dl handle equality
   
   Reviewed-by: stuefe, mdoerr
 - 8323276: StressDirListings.java fails on AIX
   
   Reviewed-by: jpai, dfuchs
 - ... and 220 more: https://git.openjdk.org/jdk/compare/692c9f88...e8d3b904

-------------

Changes: https://git.openjdk.org/jdk/pull/12524/files
 Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=12524&range=15
  Stats: 342 lines in 2 files changed: 338 ins; 0 del; 4 mod
  Patch: https://git.openjdk.org/jdk/pull/12524.diff
  Fetch: git fetch https://git.openjdk.org/jdk.git pull/12524/head:pull/12524

PR: https://git.openjdk.org/jdk/pull/12524

More information about the core-libs-dev mailing list