Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoid IndexOutOfRangeException in ZipArchive #109168

Merged
merged 6 commits into from
Jan 15, 2025
Merged

Avoid IndexOutOfRangeException in ZipArchive #109168

merged 6 commits into from
Jan 15, 2025

Conversation

peter15914
Copy link
Contributor

Fixes #109167

This pull request fixes unexpected IndexOutOfRangeException in ZipArchive.
Additional check added that array index is not out of range.
It is done in a similar way to the code in HuffmanTree.c:230:

if (value > 0)
{
    // prevent an IndexOutOfRangeException from array[index]
    throw new InvalidDataException(SR.InvalidHuffmanData);
}

Found by Linux Verification Center (linuxtesting.org).

@dotnet-policy-service dotnet-policy-service bot added the community-contribution Indicates that the PR has been added by a community member label Oct 23, 2024
This was referenced Oct 24, 2024
Closed
Open
@peter15914
Copy link
Contributor Author

Hello, @ericstj , @dotnet/area-system-io-compression !
Can you review this PR?

peter15914 added a commit to peter15914/runtime-assets that referenced this pull request Nov 20, 2024
@peter15914
Add zip file with invalid Huffman data
9f3f2bd 
An IndexOutOfRangeException exception is thrown when this invalid zip file is opened with ZipArchive.
This file is generated while fuzzing ZipArchive with AFL++.

More details in issue and pull request:
dotnet/runtime#109167
dotnet/runtime#109168
@peter15914 peter15914 mentioned this pull request Nov 20, 2024
Merged
akoeplinger pushed a commit to dotnet/runtime-assets that referenced this pull request Nov 21, 2024
@peter15914
Add zip file with invalid Huffman data (#510)
4daef9f 
An IndexOutOfRangeException exception is thrown when this invalid zip file is opened with ZipArchive.
This file is generated while fuzzing ZipArchive with AFL++.

More details in issue and pull request:
dotnet/runtime#109167
dotnet/runtime#109168
@akoeplinger
Copy link
Member

akoeplinger commented Nov 21, 2024
edited
Loading

@peter15914 FYI you'll need to wait until #109477 is merged to be able to consume the runtime-assets changes. Once that PR is in you can merge main into your branch and you should be able to access the new file.

This was referenced Nov 21, 2024
Open
Open
Open
@peter15914
Merge branch 'dotnet:main' into fix-ziparchive-outofrange
5bcc660
@peter15914
Add Sys.IO.Compression test
9230407 
Add test to cover problem with invalid zip file.
Currently an IndexOutOfRangeException is thrown when invalid zip file is opened with ZipArchive.
@peter15914
Copy link
Contributor Author

@dotnet-policy-service agree

@build-analysis build-analysis bot mentioned this pull request Nov 23, 2024
Open
@peter15914
Copy link
Contributor Author

Hello @stephentoub !
I added unit test for this scenario.
Method ZipArchive_InvalidHuffmanData is made similar to existing functions in zip_InvalidParametersAndStrangeFiles.cs.

@stephentoub
Copy link
Member

Hello @stephentoub ! I added unit test for this scenario. Method ZipArchive_InvalidHuffmanData is made similar to existing functions in zip_InvalidParametersAndStrangeFiles.cs.

Thanks!

Copilot
Copilot AI reviewed Dec 17, 2024
View reviewed changes

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
ericstj
ericstj reviewed Dec 17, 2024
View reviewed changes
Copy link
Member

@ericstj ericstj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a small suggestion, but I'd like @carlossanlop to review too

src/libraries/System.IO.Compression/tests/ZipArchive/zip_InvalidParametersAndStrangeFiles.cs Outdated Show resolved Hide resolved
@peter15914 @ericstj
Update Add Sys.IO.Compression test
94bc3e4 
Change "Theory" to "Fact"

Co-authored-by: Eric StJohn <ericstj@microsoft.com>
@ViktorHofer
Copy link
Member

@carlossanlop PTAL

This was referenced Jan 15, 2025
Open
Open
Open
Open
carlossanlop
carlossanlop approved these changes Jan 15, 2025
View reviewed changes
Copy link
Member

@carlossanlop carlossanlop left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. The condition makes sense and the test verifies the reported scenario.

@ViktorHofer
Copy link
Member

ViktorHofer commented Jan 15, 2025
edited
Loading

/ba-g a lot of timeouts in different legs for which we already have dnceng issues

@ViktorHofer ViktorHofer merged commit 1ce82e7 into dotnet:main Jan 15, 2025
77 of 82 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stephentoub stephentoub stephentoub left review comments

@ericstj ericstj ericstj left review comments

Copilot code review Copilot Copilot left review comments

@carlossanlop carlossanlop carlossanlop approved these changes

@ViktorHofer ViktorHofer ViktorHofer approved these changes

Assignees

@carlossanlop carlossanlop

Labels
area-System.IO.Compression community-contribution Indicates that the PR has been added by a community member
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

IndexOutOfRangeException in System.IO.Compression.ZipArchive
6 participants
@peter15914 @akoeplinger @stephentoub @ViktorHofer @carlossanlop @ericstj