Skip to content

Commit

Permalink
#366 Validate AES extra data record size
Browse files Browse the repository at this point in the history
  • Loading branch information
@srikanth-lingala
srikanth-lingala committed Mar 21, 2022
1 parent 3cf0cf7 commit 229d902
Show file tree
Hide file tree
Showing 3 changed files with 11 additions and 1 deletion.
3 changes: 2 additions & 1 deletion src/main/java/net/lingala/zip4j/headers/HeaderReader.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -650,7 +650,8 @@ private AESExtraDataRecord readAesExtraDataRecord(List<ExtraDataRecord> extraDat

if (extraDataRecord.getHeader() == HeaderSignature.AES_EXTRA_DATA_RECORD.getValue()) {

if (extraDataRecord.getData() == null) {
byte[] aesExtraDataRecordBytes = extraDataRecord.getData();
if (aesExtraDataRecordBytes == null || aesExtraDataRecordBytes.length != 9) {
throw new ZipException("corrupt AES extra data records");
}

Expand Down
9 changes: 9 additions & 0 deletions src/test/java/net/lingala/zip4j/io/inputstream/ZipInputStreamIT.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -319,6 +319,15 @@ public void testExtractZipFileWithFileNameLength0ThrowsException() throws IOExce
null, InternalZipConstants.BUFF_SIZE, false, 1);
}

@Test
public void testExtractZipFileWithInvalidAesExtraDataRecordThrowsException() throws IOException {
expectedException.expect(ZipException.class);
expectedException.expectMessage("corrupt AES extra data records");

extractZipFileWithInputStreams(TestUtils.getTestArchiveFromResources("invalid_aes_extra_data_record_length_in_header"),
null, InternalZipConstants.BUFF_SIZE, false, 1);
}

private void extractZipFileWithInputStreams(File zipFile, char[] password) throws IOException {
extractZipFileWithInputStreams(zipFile, password, InternalZipConstants.BUFF_SIZE);
}
Expand Down
Binary file added src/test/resources/test-archives/invalid_aes_extra_data_record_length_in_header
View file
Binary file not shown.

0 comments on commit 229d902

Please sign in to comment.