Scan error: 'Index -1 out of bounds for length 0

[AlexMilotin]

Hi,

Seems like zip file scanning is running into a error
Scan error: 'Index -1 out of bounds for length 0' on file: C:\Users\uie13286.VT1\Downloads\OneDrive_1_11-15-2021.zip

and
Scan error: 'malformed input off : 98, length : 1' on file: C:\Users\uix08287\Desktop\IE-DFSS-15-0003 (2).zip
Scan error: 'malformed input off : 82, length : 1' on file: C:\Users\uix08287\Desktop\IE-DFSS-15-0003.zip

[xeraph]

@AlexMilotin Would you run with --debug and comment stacktrace for Scan error: 'Index -1 out of bounds for length 0' on file: C:\Users\uie13286.VT1\Downloads\OneDrive_1_11-15-2021.zip ?

[AlexMilotin]

Scan error: 'Index -1 out of bounds for length 0

Logpresso CVE-2021-44228 Vulnerability Scanner 2.3.2 (2021-12-19)
Scanning directory: C:\Users\uie13286.VT1\Downloads\OneDrive_1_11-15-2021.zip
Scan error: 'Index -1 out of bounds for length 0' on file: C:\Users\uie13286.VT1\Downloads\OneDrive_1_11-15-2021.zip
java.lang.IndexOutOfBoundsException: Index -1 out of bounds for length 0
        at jdk.internal.util.Preconditions.outOfBounds(Preconditions.java:64)
        at jdk.internal.util.Preconditions.outOfBoundsCheckIndex(Preconditions.java:70)
        at jdk.internal.util.Preconditions.checkIndex(Preconditions.java:248)
        at java.util.Objects.checkIndex(Objects.java:372)
        at java.util.ArrayList.get(ArrayList.java:459)
        at com.logpresso.scanner.Detector.scanStream(Detector.java:250)
        at com.logpresso.scanner.Detector.scanJarFile(Detector.java:112)
        at com.logpresso.scanner.Log4j2Scanner.traverse(Log4j2Scanner.java:306)
        at com.logpresso.scanner.Log4j2Scanner.run(Log4j2Scanner.java:146)
        at com.logpresso.scanner.Log4j2Scanner.run(Log4j2Scanner.java:69)
        at com.logpresso.scanner.Log4j2Scanner.main(Log4j2Scanner.java:30)

[AlexMilotin]

Also for one of the malformed perhaps would be helpful

PS C:\temp> .\log4j2-scan.exe --debug --scan-log4j1 --scan-logback --scan-zip --silent "C:\Program Files\Python36\Lib\test\zip_cp437_header.zip"
Logpresso CVE-2021-44228 Vulnerability Scanner 2.3.2 (2021-12-19)
Scanning directory: C:\Program Files\Python36\Lib\test\zip_cp437_header.zip
Scan error: 'malformed input off : 14, length : 1' on file: C:\Program Files\Python36\Lib\test\zip_cp437_header.zip
java.lang.IllegalArgumentException: malformed input off : 14, length : 1
        at java.lang.StringCoding.throwMalformed(StringCoding.java:685)
        at java.lang.StringCoding.decodeUTF8_0(StringCoding.java:872)
        at java.lang.StringCoding.newStringUTF8NoRepl(StringCoding.java:965)
        at java.lang.System$2.newStringUTF8NoRepl(System.java:2203)
        at java.util.zip.ZipCoder$UTF8.toString(ZipCoder.java:60)
        at java.util.zip.ZipCoder.toString(ZipCoder.java:87)
        at java.util.zip.ZipInputStream.readLOC(ZipInputStream.java:303)
        at java.util.zip.ZipInputStream.getNextEntry(ZipInputStream.java:125)
        at com.logpresso.scanner.Detector.scanStream(Detector.java:171)
        at com.logpresso.scanner.Detector.scanJarFile(Detector.java:112)
        at com.logpresso.scanner.Log4j2Scanner.traverse(Log4j2Scanner.java:306)
        at com.logpresso.scanner.Log4j2Scanner.run(Log4j2Scanner.java:146)
        at com.logpresso.scanner.Log4j2Scanner.run(Log4j2Scanner.java:69)
        at com.logpresso.scanner.Log4j2Scanner.main(Log4j2Scanner.java:30)
Caused by: java.nio.charset.MalformedInputException: Input length = 1
        ... 14 more

[xeraph]

@AlexMilotin Both exception traces are caused by encoding issues. The default zip entry encoding is utf8, but the file appears to be encoded in a different character set. Maybe adding another encoding option can be useful, however, if each zip file uses different encoding, it is hard to resolve..

[AlexMilotin]

@xeraph Assuming the most used ones are utf8 , latin1 and CP437 i would hope that adding latin1 and CP437 is enough ?

[xeraph]

@AlexMilotin Would you upload some small CP437 zip file which causes error? I want to reproduce it.

[AlexMilotin]

Hopefully this is the one you need. Is what i got from one of our devs
zip_cp437_header.zip
It is the same one from the malformed error here : #153 (comment)

[xeraph]

@AlexMilotin Would you test v2.3.3 release? If your system default encoding is cp437, no additional option is required. If you want to decompress ZIP which is encoded by other charset, use --zip-charset option. e.g. --zip-charset CP437

[AlexMilotin]

That works like a charm for the malformed issues
For the Scan error: 'Index -1 out of bounds for length 0' i do not get the error anymore but instead it does Skipping it as broken .jar

[xeraph]

Oops.. 'Index -1 out of bounds for length 0' was different issue. I will fix it soon. Thank you for reporting! @AlexMilotin

[xeraph]

@AlexMilotin Would you upload zip which cause only DEFLATED entries can have EXT descriptor ?
Found some sample from https://github.com/Aefyr/SAI/files/4343980/Netflix_v7.48.0.build.10.34747.zip

[xeraph]

@AlexMilotin v2.3.4 reduces only DEFLATED entries can have EXT descriptor errors.
(still error occurs for nested zip case due to jdk limitation)

[xeraph]

@AlexMilotin v2.6.0 release can resolves almost all ZIP errors.