Throw ArchiveException instead of EOFException when CPIO namesize <= 0 (#771)

garydgregory · web-flow · commit 354b548529d0 · 2026-04-28T11:36:24.000-04:00
diff --git a/src/main/java/org/apache/commons/compress/archivers/cpio/CpioArchiveInputStream.java b/src/main/java/org/apache/commons/compress/archivers/cpio/CpioArchiveInputStream.java
@@ -463,7 +463,7 @@ private CpioArchiveEntry readNewEntry(final boolean hasCrc) throws IOException {
         newEntry.setRemoteDeviceMaj(readAsciiLong(8, 16));
         newEntry.setRemoteDeviceMin(readAsciiLong(8, 16));
         final long namesize = readAsciiLong(8, 16);
-        if (namesize < 0) {
+        if (namesize <= 0) {
             throw new ArchiveException("Found illegal entry with negative name length");
         }
         newEntry.setChksum(readAsciiLong(8, 16));
diff --git a/src/test/java/org/apache/commons/compress/archivers/cpio/CpioArchiveInputStreamTest.java b/src/test/java/org/apache/commons/compress/archivers/cpio/CpioArchiveInputStreamTest.java
@@ -93,6 +93,33 @@ void testCrcVerification() throws Exception {
         }
     }
 
+    @Test
+    void testEndOfFileInEntry_c_namesize_0x00000000() throws Exception {
+        // CPIO header with c_namesize = 0x00000000
+        // @formatter:off
+        final String header =
+                "070701" + // c_magic
+                "00000000" + // c_ino
+                "000081A4" + // c_mode
+                "00000000" + // c_uid
+                "00000000" + // c_gid
+                "00000001" + // c_nlink
+                "00000000" + // c_mtime
+                "00000000" + // c_filesize
+                "00000000" + // c_devmajor
+                "00000000" + // c_devminor
+                "00000000" + // c_rdevmajor
+                "00000000" + // c_rdevminor
+                "00000000" + // c_namesize
+                "00000000"; // c_check
+        // @formatter:on
+        final byte[] data = new byte[header.getBytes(StandardCharsets.US_ASCII).length + 1];
+        System.arraycopy(header.getBytes(), 0, data, 0, header.getBytes().length);
+        try (CpioArchiveInputStream cpio = CpioArchiveInputStream.builder().setByteArray(data).get()) {
+            assertThrows(ArchiveException.class, () -> cpio.getNextEntry());
+        }
+    }
+
     @Test
     void testEndOfFileInEntry_c_namesize_0xFFFFFFFF() throws Exception {
         // CPIO header with c_namesize = 0xFFFFFFFF

Original file line number	Diff line number	Diff line change
`@@ -463,7 +463,7 @@ private CpioArchiveEntry readNewEntry(final boolean hasCrc) throws IOException {`
`463`	`463`	`newEntry.setRemoteDeviceMaj(readAsciiLong(8, 16));`
`464`	`464`	`newEntry.setRemoteDeviceMin(readAsciiLong(8, 16));`
`465`	`465`	`final long namesize = readAsciiLong(8, 16);`
`466`		`- if (namesize < 0) {`
	`466`	`+ if (namesize <= 0) {`
`467`	`467`	`throw new ArchiveException("Found illegal entry with negative name length");`
`468`	`468`	`}`
`469`	`469`	`newEntry.setChksum(readAsciiLong(8, 16));`