RFR: 8280409: JarFile::verifiableEntry can fail with NPE accessing ze.getName() [v2]
Sean Mullan
mullan at openjdk.java.net
Tue Feb 8 15:41:21 UTC 2022
On Mon, 7 Feb 2022 23:02:54 GMT, Lance Andersen <lancea at openjdk.org> wrote:
>> Hi all,
>>
>> Please review the attached patch to address
>>
>> - That JarFile::getInputStream did not check for a null ZipEntry passed as a parameter
>> - Have Zip/JarFile::getInputStream throw a ZipException in the event that an unexpected exception occurs
>>
>> Mach5 tiers1-3 runs are clean as are the TCK java.util.zip and java.util.jar test runs
>>
>> Best
>> Lance
>
> Lance Andersen has updated the pull request incrementally with one additional commit since the last revision:
>
> Reduce Exception checking to JarFile::verifiableEntry
Marked as reviewed by mullan (Reviewer).
src/java.base/share/classes/java/util/jar/JarFile.java line 871:
> 869: }
> 870: // ZipEntry::getName should not return null
> 871: if(ze.getName() != null) {
Nit, add space after "if"
src/java.base/share/classes/java/util/jar/JarFile.java line 874:
> 872: ze = getJarEntry(ze.getName());
> 873: } else {
> 874: throw new ZipException("Error: ZipEntry::getName returned null!");
I'd probably leave out the "Error:" and the "!".
src/java.base/share/classes/java/util/jar/JarFile.java line 877:
> 875: }
> 876: // ZipEntry returned from JarFile::getJarEntry should not be null
> 877: if(ze == null) {
Nit, add space after "if"
-------------
PR: https://git.openjdk.java.net/jdk/pull/7348
More information about the security-dev
mailing list