JDK-8056934 : ZipInputStream does not correctly handle local header data descriptors with the optional signature missing
  • Type: Bug
  • Component: core-libs
  • Sub-Component: java.util.jar
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2014-08-29
  • Updated: 2020-07-22
  • Resolved: 2014-09-12
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 9
9 b32Fixed
Related Reports
Relates :  
JDK-4635869 - ZipInputStream fails to read certain valid zip archives
Relates :  
JDK-8249832 - java/util/zip/DataDescriptorSignatureMissing.java uses @ignore w/o bug-id
Description
A zip file local header may be optionally followed by a "data descriptor", and that may optionally include a signature.  ZipInputStream has code to handle the situation when the optional signature is missing, but it is buggy - off-by-one.

webrev: http://cr.openjdk.java.net/~martin/webrevs/openjdk9/zip-DataDescriptorSignatureMissing/

    /*
     * Local headers for DEFLATED entries may optionally be followed by a
     * data descriptor, and that data descriptor may optionally contain a
     * leading signature (EXTSIG).
     *
     * From the zip spec http://www.pkware.com/documents/casestudies/APPNOTE.TXT
     *
     * """Although not originally assigned a signature, the value 0x08074b50
     * has commonly been adopted as a signature value for the data descriptor
     * record.  Implementers should be aware that ZIP files may be
     * encountered with or without this signature marking data descriptors
     * and should account for either case when reading ZIP files to ensure
     * compatibility."""
     *
     * As of 2014-08, python's zipfile implementation does not include the
     * optional signature, but other implementations (including openjdk) do.
     *
     * ZipFile.writestr writes incorrect extended local headers
     * http://bugs.python.org/issue1742205
     */