StackOverflowError/OutOfMemoryError when dependency jar contains zip bomb inside

[grossws]

Expected Behavior

Zip Bomb inside jar not to trigger any error.

Current Behavior

StackOverflowError on 7.0 and OutOfMemoryError on 6.8.3 without any context for the exception.

Context

Triggered issue after adding org.apache.tika:tika-parsers:1.22:tests.

See also: https://gradle-community.slack.com/archives/CAH4ZP3GX/p1618760838029700

Steps to Reproduce

• Create following build.gradle.kts:

plugins { java }
dependencies { testImplementation(group = "org.apache.tika", name = "tika-parsers", version = "1.22", classifier = "tests") }
repositories { mavenCentral() }

• Add some test class (mkdir -p src/test/java && echo 'class A {}' > src/test/java/A.java)
• Run gradle test

Your Environment

Build scan URL: https://scans.gradle.com/s/cb5v5n5bmeyn6

[wolfs]

This is the stacktrace:

java.lang.StackOverflowError
        at java.base/java.util.zip.InflaterInputStream.read(InflaterInputStream.java:152)
        at java.base/java.util.zip.ZipInputStream.read(ZipInputStream.java:196)
        at java.base/java.io.FilterInputStream.read(FilterInputStream.java:132)
        at java.base/java.io.PushbackInputStream.read(PushbackInputStream.java:182)
        at java.base/java.util.zip.InflaterInputStream.fill(InflaterInputStream.java:242)
        at java.base/java.util.zip.InflaterInputStream.read(InflaterInputStream.java:158)

[lptr]

@ghale do you remember if this might be related to deep-zip-snapshotting you added?

[ghale]

I think the deep-zip-snapshotting and the zip-bomb issue have been there since we first implemented the zip fingerprinting. We probably increased the number of places where this could occur when I added the functionality to hash zips found in directories, but this is not new behavior as far as I can tell.

[ghale]

I think the issue goes as far back as this commit: cc89468