Skip to content

Fix copyOfRange end index in x0017 strong encryption header#786

Merged
garydgregory merged 1 commit into
apache:masterfrom
kali834x:x0017-copyofrange-end-index
Jul 15, 2026
Merged

Fix copyOfRange end index in x0017 strong encryption header#786
garydgregory merged 1 commit into
apache:masterfrom
kali834x:x0017-copyofrange-end-index

Conversation

@kali834x

Copy link
Copy Markdown
Contributor

parseFileFormat in X0017_StrongEncryptionHeader passes the raw ivSize/erdSize/hashSize/resize/vSize fields as the third argument to Arrays.copyOfRange, which is an end index and not a length, so every other extra-field parser in this package uses the offset+length form instead. a crafted 0x0017 local extra field where the recipient key hash starts past hashSize makes copyOfRange throw IllegalArgumentException (fromIndex > toIndex), and fillExtraField only maps ArrayIndexOutOfBoundsException to ZipException, so that runtime exception escapes uncaught out of ZIP parsing; the earlier fields are also sliced to the wrong length. compute each end index as from + size and drop the assertMinimalLength guards that only existed to dodge the from > to case, the surviving assertDynamicLengthFits/prefix checks already bound every slice so malformed input now surfaces as the declared ZipException. added X0017_StrongEncryptionHeaderTest covering the recipient-key-hash case.

@garydgregory garydgregory changed the title fix copyOfRange end index in x0017 strong encryption header Fix copyOfRange end index in x0017 strong encryption header Jul 15, 2026
@garydgregory
garydgregory merged commit 9d6d7c5 into apache:master Jul 15, 2026
19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants