Skip to content
Permalink
Browse files
Address CodeQL issues in pack200/unpack200 packages.
Throw ArithmeticExceptioninstead of silently overflowing.
  • Loading branch information
garydgregory committed Feb 9, 2022
1 parent 39abfb1 commit 666e787a17e4e7321b70e99e55acf27b6382ab17
Show file tree
Hide file tree
Showing 6 changed files with 59 additions and 8 deletions.
@@ -30,6 +30,7 @@
import java.util.concurrent.TimeUnit;

import org.apache.commons.compress.archivers.ArchiveEntry;
import org.apache.commons.compress.utils.ExactMath;

/**
* A cpio archive consists of a sequence of files. There are several types of
@@ -572,7 +573,7 @@ public int getHeaderPadCount(final long nameSize) {
}
int size = this.headerSize + 1; // Name has terminating null
if (name != null) {
size += nameSize;
size = ExactMath.add(size, nameSize);
}
final int remain = size % this.alignmentBoundary;
if (remain > 0) {
@@ -22,6 +22,8 @@
import java.util.ArrayList;
import java.util.List;

import org.apache.commons.compress.utils.ExactMath;

/**
* A BHSD codec is a means of encoding integer values as a sequence of bytes or vice versa using a specified "BHSD"
* encoding mechanism. It uses a variable-length encoding and a modified sign representation such that small numbers are
@@ -243,7 +245,7 @@ public int[] decodeInts(final int n, final InputStream in) throws IOException, P
band[i] -= cardinality;
}
while (band[i] < smallest) {
band[i] += cardinality;
band[i] = ExactMath.add(band[i], cardinality);
}
}
}
@@ -260,7 +262,7 @@ public int[] decodeInts(final int n, final InputStream in, final int firstValue)
band[i] -= cardinality;
}
while (band[i] < smallest) {
band[i] += cardinality;
band[i] = ExactMath.add(band[i], cardinality);
}
}
}
@@ -25,6 +25,7 @@

import org.apache.commons.compress.harmony.pack200.Archive.PackingFile;
import org.apache.commons.compress.harmony.pack200.Archive.SegmentUnit;
import org.apache.commons.compress.utils.ExactMath;
import org.objectweb.asm.ClassReader;

/**
@@ -86,7 +87,7 @@ public FileBands(final CpBands cpBands, final SegmentHeader segmentHeader, final
}
final byte[] bytes = packingFile.getContents();
file_size[i] = bytes.length;
totalSize += file_size[i];
totalSize = ExactMath.add(totalSize, file_size[i]);

// update modification time
modtime = (packingFile.getModtime() + TimeZone.getDefault().getRawOffset()) / 1000L;
@@ -20,6 +20,8 @@
import java.io.InputStream;
import java.util.Arrays;

import org.apache.commons.compress.utils.ExactMath;

/**
* A run codec is a grouping of two nested codecs; K values are decoded from the first codec, and the remaining codes
* are decoded from the remaining codec. Note that since this codec maintains state, the instances are not reusable.
@@ -68,7 +70,7 @@ private int normalise(int value, final Codec codecUsed) {
value -= cardinality;
}
while (value < bhsd.smallest()) {
value += cardinality;
value = ExactMath.add(value, cardinality);
}
}
}
@@ -98,7 +100,7 @@ private void normalise(final int[] band, final Codec codecUsed) {
band[i] -= cardinality;
}
while (band[i] < bhsd.smallest()) {
band[i] += cardinality;
band[i] = ExactMath.add(band[i], cardinality);
}
}
}
@@ -117,7 +119,7 @@ private void normalise(final int[] band, final Codec codecUsed) {
band[i] -= cardinality;
}
while (band[i] < bhsd.smallest()) {
band[i] += cardinality;
band[i] = ExactMath.add(band[i], cardinality);
}
}
}
@@ -36,6 +36,7 @@
import org.apache.commons.compress.harmony.unpack200.bytecode.CPNameAndType;
import org.apache.commons.compress.harmony.unpack200.bytecode.CPString;
import org.apache.commons.compress.harmony.unpack200.bytecode.CPUTF8;
import org.apache.commons.compress.utils.ExactMath;

/**
* Abstract superclass for a set of bands
@@ -118,7 +119,7 @@ public int[] decodeBandInt(final String name, final InputStream in, final BHSDCo
band[i] -= cardinality;
}
while (band[i] < bhsd.smallest()) {
band[i] += cardinality;
band[i] = ExactMath.add(band[i], cardinality);
}
}
}
@@ -0,0 +1,44 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/

package org.apache.commons.compress.utils;

/**
* PRIVATE.
*
* Performs exact math through {@link Math} "exact" APIs.
*/
public class ExactMath {

private ExactMath() {
// no instances
}

/**
* Adds two values and throws an exception on overflow.
*
* @param intValue the first value.
* @param longValue the second value.
* @return addition of both values.
* @throws ArithmeticException when there is an overflow.
*/
public static int add(final int intValue, final long longValue) {
return Math.addExact(intValue, Math.toIntExact(longValue));
}
}

0 comments on commit 666e787

Please sign in to comment.