RFR: 8340553: ZipEntry field validation does not take into account the size of a CEN header [v2]
Lance Andersen
lancea at openjdk.org
Thu Oct 17 19:32:49 UTC 2024
On Thu, 17 Oct 2024 18:45:01 GMT, Eirik Bjørsnøs <eirbjo at openjdk.org> wrote:
> But that's my subjective opinion, it's understandable and fine that others see it differently.
Again, I understand your suggestion and will give it some additional thought. The original intent was to address the incorrect max value that each of the 3 fields were being validated against, which has been there since at least JDK 1.3.
Overall this is a corner case and out of a search of 90,000+ jars, only 520 CEN Headers were encountered with a size between 500-1000 bytes, all other entries were < 500 bytes.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/21544#discussion_r1805311563
More information about the core-libs-dev
mailing list