RFR: 8280409: JarFile::verifiableEntry can fail with NPE accessing ze.getName() [v2]

Alan Bateman alanb at openjdk.java.net
Tue Feb 8 16:02:11 UTC 2022


On Tue, 8 Feb 2022 15:27:46 GMT, Sean Mullan <mullan at openjdk.org> wrote:

>> Lance Andersen has updated the pull request incrementally with one additional commit since the last revision:
>> 
>>   Reduce Exception checking to JarFile::verifiableEntry
>
> src/java.base/share/classes/java/util/jar/JarFile.java line 871:
> 
>> 869:         }
>> 870:         // ZipEntry::getName should not return null
>> 871:         if(ze.getName() != null) {
> 
> Nit, add space after "if"

if ZipEntry is extended and getName() overridden then you can't trust the name. So I think you'll have extract the name rather than calling ZipEntry::getName twice. I'm almost tempted to have getInputStream(ZipEntry) be re-specified to throw IAE if the zip entry is null.

> src/java.base/share/classes/java/util/jar/JarFile.java line 877:
> 
>> 875:         }
>> 876:         // ZipEntry returned from JarFile::getJarEntry should not be null
>> 877:         if(ze == null) {
> 
> Nit, add space after "if"

ze can't be null here.

-------------

PR: https://git.openjdk.java.net/jdk/pull/7348



More information about the security-dev mailing list