Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8280409

JarFile::getInputStream can fail with NPE accessing ze.getName()

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: P4 P4
    • 19
    • None
    • core-libs
    • None
    • b12
    • generic
    • generic

      A fuzzed jar file causes an NPE in JarFile::verifiableEntry due to
      access to a null pointer.

      java JarTest npe_ze_null.jar javax/inject/Singleton.class
      [...]
      Exception in thread "main" java.lang.NullPointerException: Cannot invoke
      "java.util.zip.ZipEntry.getName()" because "ze" is null
      at java.base/java.util.jar.JarFile.verifiableEntry(JarFile.java:863)
      at java.base/java.util.jar.JarFile.getInputStream(JarFile.java:853)
      at JarTest.main(JarTest.java:18)

      private JarEntry verifiableEntry(ZipEntry ze) {
              if (ze instanceof JarFileEntry) {
                  // assure the name and entry match for verification
                  return ((JarFileEntry)ze).realEntry();
              }
              ze = getJarEntry(ze.getName()); <======
              if (ze instanceof JarFileEntry) {
                  return ((JarFileEntry)ze).realEntry();
              }
              return (JarEntry)ze;
          }

            lancea Lance Andersen
            jeff Jeff Dinkins
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: