Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8056934

ZipInputStream does not correctly handle local header data descriptors with the optional signature missing

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: P2 P2
    • 9
    • None
    • core-libs
    • None
    • b32
    • generic
    • generic
    • Verified

        A zip file local header may be optionally followed by a "data descriptor", and that may optionally include a signature. ZipInputStream has code to handle the situation when the optional signature is missing, but it is buggy - off-by-one.

        webrev: http://cr.openjdk.java.net/~martin/webrevs/openjdk9/zip-DataDescriptorSignatureMissing/

            /*
             * Local headers for DEFLATED entries may optionally be followed by a
             * data descriptor, and that data descriptor may optionally contain a
             * leading signature (EXTSIG).
             *
             * From the zip spec http://www.pkware.com/documents/casestudies/APPNOTE.TXT
             *
             * """Although not originally assigned a signature, the value 0x08074b50
             * has commonly been adopted as a signature value for the data descriptor
             * record. Implementers should be aware that ZIP files may be
             * encountered with or without this signature marking data descriptors
             * and should account for either case when reading ZIP files to ensure
             * compatibility."""
             *
             * As of 2014-08, python's zipfile implementation does not include the
             * optional signature, but other implementations (including openjdk) do.
             *
             * ZipFile.writestr writes incorrect extended local headers
             * http://bugs.python.org/issue1742205
             */

              martin Martin Buchholz
              martin Martin Buchholz
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: