Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Avoid IndexOutOfRangeException in ZipArchive #109168

Open
wants to merge 4 commits into
base: main
Choose a base branch
from

Conversation

peter15914
Copy link

Fixes #109167

This pull request fixes unexpected IndexOutOfRangeException in ZipArchive.
Additional check added that array index is not out of range.
It is done in a similar way to the code in HuffmanTree.c:230:

if (value > 0)
{
    // prevent an IndexOutOfRangeException from array[index]
    throw new InvalidDataException(SR.InvalidHuffmanData);
}

Found by Linux Verification Center (linuxtesting.org).

@peter15914
Copy link
Author

Hello, @ericstj , @dotnet/area-system-io-compression !
Can you review this PR?

if (index >= array.Length)
{
// prevent an IndexOutOfRangeException from array[index]
throw new InvalidDataException(SR.InvalidHuffmanData);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it possible to add a test for this?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @stephentoub, thanks for the response!
I'll try to add a test for this scenario.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

peter15914 added a commit to peter15914/runtime-assets that referenced this pull request Nov 20, 2024
An IndexOutOfRangeException exception is thrown when this invalid zip file is opened with ZipArchive.
This file is generated while fuzzing ZipArchive with AFL++.

More details in issue and pull request:
dotnet/runtime#109167
dotnet/runtime#109168
akoeplinger pushed a commit to dotnet/runtime-assets that referenced this pull request Nov 21, 2024
An IndexOutOfRangeException exception is thrown when this invalid zip file is opened with ZipArchive.
This file is generated while fuzzing ZipArchive with AFL++.

More details in issue and pull request:
dotnet/runtime#109167
dotnet/runtime#109168
@akoeplinger
Copy link
Member

akoeplinger commented Nov 21, 2024

@peter15914 FYI you'll need to wait until #109477 is merged to be able to consume the runtime-assets changes. Once that PR is in you can merge main into your branch and you should be able to access the new file.

Add test to cover problem with invalid zip file.
Currently an IndexOutOfRangeException is thrown when invalid zip file is opened with ZipArchive.
@peter15914
Copy link
Author

@dotnet-policy-service agree

@peter15914
Copy link
Author

Hello @stephentoub !
I added unit test for this scenario.
Method ZipArchive_InvalidHuffmanData is made similar to existing functions in zip_InvalidParametersAndStrangeFiles.cs.

@stephentoub
Copy link
Member

Hello @stephentoub ! I added unit test for this scenario. Method ZipArchive_InvalidHuffmanData is made similar to existing functions in zip_InvalidParametersAndStrangeFiles.cs.

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area-System.IO.Compression community-contribution Indicates that the PR has been added by a community member
Projects
None yet
Development

Successfully merging this pull request may close these issues.

IndexOutOfRangeException in System.IO.Compression.ZipArchive
3 participants