-
Notifications
You must be signed in to change notification settings - Fork 80
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RangeError in buffer.js due to error at index.js:283 #31
Comments
good catch. you've found a bug. I'll look into fixing this and creating test cases for it. and thanks for your detailed analysis. you've made my job that much easier :) |
fix published in version 2.4.3. please let me know if you run into any other issues. |
Thank you for the improvement. However, it appears the zip files I'm trying to unzip are (though out of spec), a common one "in the wild", Android .apk files. I think the software needs to be lenient in a couple ways.
If you need example zip files I can send them, but hopefully the above description is sufficient to provide a workaround for out-of-spec but common zip files such as .apk and .jar. If you don't think always ignoring the out-of-spec headers is good, at least provide an option to ignore. |
You make some good arguments. Reopening. |
I double checked the zipfile spec to see if padding was allowed in the Extra Field, and I came to the same conclusion as this, which is that the padding is not allowed, and .apk files routinely violate the zipfile spec. that being said, tolerating some clearly fenced garbage in a zipfile isn't some big compromise of correctness for the rest of the interpretation; it's pretty obvious how to recover from the corrupt zipfile in this case. in fact, the change to yauzl would be mostly comprised of deleting code, and ending up with what you've been saying all along: iterating to I was considering adding a flag to allow/disallow the tolerance (just like the linked python issue considered), but I decided that in the grand scheme of things it wouldn't be worth it. Adding a flag would allow some yauzl users to do a sanity check on one tiny aspect of the zipfile format, and given that yauzl is so far from comprehensive sanity checks already, it wouldn't make sense. For example, yauzl completely ignores local file headers (also, just like the linked python issue mentioned). |
I tested parsing the as before, please let me know of anything else i can do to help. |
Just to follow up on this, yauzl does not ignore these, but you can in your application if you want. yauzl says there is an extra field with id of |
Works for me. Thanks! |
I was getting the following stack trace while unzipping a file:
I tracked it down to line 283:
while (i < extraFieldBuffer.length) {
which should instead be at least:
while (i+4 < extraFieldBuffer.length) {
to avoid attempting to read past the end of the buffer at line 284 and 285.
However, I think you should add another check before line 289 to ensure the extraFieldBuffer.copy does not fail due to an invalid size field in the zip file. That is, if it is invalid, you should throw a descriptive exception rather than letting it be handled by another RangeCheck error (which doesn't explain the problem very well to the casual user of a damaged zip file).
(Note that there appears to be no easy way to trap this exception since it occurs within FSReqWrap wrapper).
The text was updated successfully, but these errors were encountered: