Skip to content
This repository was archived by the owner on Jan 23, 2023. It is now read-only.

Check uncompressed size before decompressing a zip file. Fixes 33058#38314

Merged
buyaa-n merged 12 commits intodotnet:masterfrom
buyaa-n:new_uncompressed_length
Jun 26, 2019
Merged

Check uncompressed size before decompressing a zip file. Fixes 33058#38314
buyaa-n merged 12 commits intodotnet:masterfrom
buyaa-n:new_uncompressed_length

Conversation

@buyaa-n
Copy link

@buyaa-n buyaa-n commented Jun 6, 2019

Fixes #33058
There is 2 things done in this PR to account uncompressed size for opening/reading zip file

  1. Compare compressed uncompressed sizes written in local file header and central directory record. If they don't match throw InvalidDataException
  • as we were just skipping local file header before added code for reading local file header as needed (account data descriptor in which case the sizes written at the end of compressed file stream)
  • and then check data validity.
  1. Truncate inflated stream read up to uncompressed size, throw if it was over uncompressed size

@buyaa-n buyaa-n requested review from carlossanlop and ericstj June 6, 2019 17:36
@buyaa-n
Copy link
Author

buyaa-n commented Jun 11, 2019

@ericstj @bartonjs comments addressed please re review

ericstj
ericstj reviewed Jun 13, 2019
View reviewed changes
@buyaa-n
Copy link
Author

buyaa-n commented Jun 24, 2019

@ericstj @bartonjs comments addressed please re review

@ericstj ericstj requested a review from stephentoub June 24, 2019 17:19
@buyaa-n
Copy link
Author

buyaa-n commented Jun 25, 2019

@ericstj @bartonjs @ChadNedzlek comments addressed please re-review

@buyaa-n buyaa-n merged commit cece0df into dotnet:master Jun 26, 2019
@karelz karelz added this to the 3.0 milestone Jul 16, 2019
@buyaa-n buyaa-n deleted the new_uncompressed_length branch July 22, 2019 16:30
@eerhardt eerhardt mentioned this pull request Feb 4, 2020
Closed
picenka21 pushed a commit to picenka21/runtime that referenced this pull request Feb 18, 2022
@buyaa-n
Check uncompressed size before decompressing a zip file. Fixes 33058 (d…
aaecfe1 
…otnet/corefx#38314)

Account uncompressed size while decompressing a zip file. Fixes 33058

I am sure now the fix is good enough for merging, if anyone has more question/comment please let me know/comment

Commit migrated from dotnet/corefx@cece0df
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@carlossanlop carlossanlop Awaiting requested review from carlossanlop

@stephentoub stephentoub Awaiting requested review from stephentoub

3 more reviewers

@ericstj ericstj ericstj left review comments

@ChadNedzlek ChadNedzlek ChadNedzlek left review comments

@bartonjs bartonjs bartonjs approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

3.0

Development

Successfully merging this pull request may close these issues.

ZipArchive does not indicate in any way if file length specified in central directory does not match the actual file length.

5 participants

@buyaa-n @ericstj @bartonjs @ChadNedzlek @karelz