From e0674a74ed13b0acf4d3d3f550886ed4d7ef0ee5 Mon Sep 17 00:00:00 2001 From: PunKeel Date: Sun, 23 Apr 2017 20:17:18 +0200 Subject: [PATCH] :zap: Zip: don't trust "getSize" This method may return "-1", or wrong values. Relying on it is dangerous. + add a TODO item: limit the max file size? We don't want to hold more than X MB in memory, do we? --- .../main/java/xyz/docbleach/module/zip/ArchiveBleach.java | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/module/module-zip/src/main/java/xyz/docbleach/module/zip/ArchiveBleach.java b/module/module-zip/src/main/java/xyz/docbleach/module/zip/ArchiveBleach.java index c83b3e5c..6f266ed5 100644 --- a/module/module-zip/src/main/java/xyz/docbleach/module/zip/ArchiveBleach.java +++ b/module/module-zip/src/main/java/xyz/docbleach/module/zip/ArchiveBleach.java @@ -73,15 +73,17 @@ private void sanitizeFile(BleachSession session, ZipInputStream zipIn, ZipOutput ByteArrayOutputStream streamBuilder = new ByteArrayOutputStream(); int bytesRead; - byte[] tempBuffer = new byte[(int) entry.getSize()]; + // @TODO: check real file size? + byte[] tempBuffer = new byte[1024]; while ((bytesRead = zipIn.read(tempBuffer)) != -1) { streamBuilder.write(tempBuffer, 0, bytesRead); } - ByteArrayOutputStream out = new ByteArrayOutputStream(); - ByteArrayInputStream bais = new ByteArrayInputStream(streamBuilder.toByteArray()); CloseShieldInputStream is = new CloseShieldInputStream(new BufferedInputStream(bais)); + ByteArrayOutputStream out = new ByteArrayOutputStream(); + + try { session.sanitize(is, out); } catch (RecursionBleachException e) {