#374 Validate AES extra data record before calculating header size

srikanth-lingala · Mar 22, 2022 · 82e8984 · 82e8984
1 parent 445c161
commit 82e8984
Showing 1 changed file with 12 additions and 3 deletions.
diff --git a/src/main/java/net/lingala/zip4j/io/inputstream/ZipInputStream.java b/src/main/java/net/lingala/zip4j/io/inputstream/ZipInputStream.java
@@ -19,6 +19,7 @@
 import net.lingala.zip4j.exception.ZipException;
 import net.lingala.zip4j.headers.HeaderReader;
 import net.lingala.zip4j.headers.HeaderSignature;
+import net.lingala.zip4j.model.AESExtraDataRecord;
 import net.lingala.zip4j.model.DataDescriptor;
 import net.lingala.zip4j.model.ExtraDataRecord;
 import net.lingala.zip4j.model.FileHeader;
@@ -347,14 +348,13 @@ private long getCompressedSize(LocalFileHeader localFileHeader) throws ZipExcept
     return localFileHeader.getCompressedSize() - getEncryptionHeaderSize(localFileHeader);
   }
 
-  private int getEncryptionHeaderSize(LocalFileHeader localFileHeader) {
+  private int getEncryptionHeaderSize(LocalFileHeader localFileHeader) throws ZipException {
     if (!localFileHeader.isEncrypted()) {
       return 0;
     }
 
     if (localFileHeader.getEncryptionMethod().equals(EncryptionMethod.AES)) {
-      return InternalZipConstants.AES_AUTH_LENGTH + InternalZipConstants.AES_PASSWORD_VERIFIER_LENGTH
-          + localFileHeader.getAesExtraDataRecord().getAesKeyStrength().getSaltLength();
+      return getAesEncryptionHeaderSize(localFileHeader.getAesExtraDataRecord());
     } else if (localFileHeader.getEncryptionMethod().equals(EncryptionMethod.ZIP_STANDARD)) {
       return InternalZipConstants.STD_DEC_HDR_SIZE;
     } else {
@@ -377,6 +377,15 @@ private void readUntilEndOfEntry() throws IOException {
     this.entryEOFReached = true;
   }
 
+  private int getAesEncryptionHeaderSize(AESExtraDataRecord aesExtraDataRecord) throws ZipException {
+    if (aesExtraDataRecord == null || aesExtraDataRecord.getAesKeyStrength() == null) {
+      throw new ZipException("AesExtraDataRecord not found or invalid for Aes encrypted entry");
+    }
+
+    return InternalZipConstants.AES_AUTH_LENGTH + InternalZipConstants.AES_PASSWORD_VERIFIER_LENGTH
+        + aesExtraDataRecord.getAesKeyStrength().getSaltLength();
+  }
+
   private boolean isEncryptionMethodZipStandard(LocalFileHeader localFileHeader) {
     return localFileHeader.isEncrypted() && EncryptionMethod.ZIP_STANDARD.equals(localFileHeader.getEncryptionMethod());
   }