RFR: 8336025: Improve ZipOutputSream validation of MAX CEN Header field limits [v2]
Eirik Bjørsnøs
eirbjo at openjdk.org
Mon Sep 16 12:19:04 UTC 2024
On Mon, 16 Sep 2024 11:19:36 GMT, Lance Andersen <lancea at openjdk.org> wrote:
> I left that intentionally for now. A follow on PR will be updating the ZipEntry javadoc to reduce the max size of the validation check once this PR is finalized.
Hang on, not sure I follow. Perhaps I just didn't understand your response..
Just to clarify my own comment first:
If the entry comment is `> 0xFFFF` at this point, then it will in all cases cause a rejection with a ZipException when the combined clause is enforced a few lines down since the comment size itself is sufficient to violate the `headerSize` check? Moving the `headerSize` validation before the comment processing would enforce the invariant that `comment < 0xFFFF - CENHDR`, thus the truncation logic would not be neccessary.
This PR documents the "combined clause" limitation in ZipEntry according to `APPNOTE.TXT`. How and why should this be reduced in the follow on PR? I don't seem to understand the scope and purpose of the follow on PR.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/21003#discussion_r1761036460
More information about the core-libs-dev
mailing list