RFR: 8280409: JarFile::verifiableEntry can fail with NPE accessing ze.getName()

Alan Bateman alanb at openjdk.java.net
Fri Feb 4 15:14:16 UTC 2022


On Fri, 4 Feb 2022 12:42:39 GMT, Lance Andersen <lancea at openjdk.org> wrote:

> Hi all,
> 
> Please review the attached patch to address
> 
> - That JarFile::getInputStream did not check for a null ZipEntry passed as a parameter
> - Have Zip/JarFile::getInputStream throw a ZipException in the event that an unexpected exception occurs
> 
> Mach5 tiers1-3 runs are clean as are the TCK java.util.zip and java.util.jar test runs
> 
> Best
> Lance

src/java.base/share/classes/java/util/jar/JarFile.java line 840:

> 838:         throws IOException
> 839:     {
> 840:         Objects.requireNonNull(ze, "ze");

Is the NPE specified?

src/java.base/share/classes/java/util/jar/JarFile.java line 866:

> 864:         } catch (Exception e2) {
> 865:             // Any other Exception should be a ZipException
> 866:             throw (ZipException) new ZipException("Zip file format error").initCause(e2);

If there is ZIP format error then I would expect ZipException or the more general IOException is already thrown. So I think this is catching other cases, maybe broken manifests or signed JAR files, in which case a JarException may be better.

-------------

PR: https://git.openjdk.java.net/jdk/pull/7348



More information about the security-dev mailing list