Resource size hints appear to be used incorrectly when using compression
Alan Bateman
Alan.Bateman at oracle.com
Wed Aug 8 12:22:08 UTC 2018
On 08/08/2018 06:19, Luke Hutchison wrote:
> :
>
> (2) size is used directly without restriction, rather than as a size hint.
> ZipEntry#getSize() may actually return a totally bogus value (you can write
> anything you want for the uncompressed size in a zipfile entry). If the
> requested size is large, e.g. something close to Integer.MAX_VALUE, large
> allocations will occur every time a resource is read, which can be used as
> a memory allocation attack vector.
>
I've changed the subject line as the original subject line suggested an
issue with the module system. Instead, I think your mail is about
run-time images created with `jlink --compress <level>`. The JDK
run-time images do not use compression so the code paths in the jimage
code for compressed resources may not be tested as well as the
uncompressed case. If there are bugs or inefficiencies in the handling
of compressed resources then we should get them into JIRA.
-Alan
More information about the jigsaw-dev
mailing list