TarInputStream.read() never returns EOF: bugzilla 39924

git-svn-id: https://svn.apache.org/repos/asf/ant/core/trunk@441862 13f79535-47bb-0310-9956-ffa450edef68

CONTRIBUTORS

@@ -188,6 +188,7 @@ Paul Galbraith
 Paulo Gaspar
 Peter B. West
 Peter Donald
+Peter Hulst
 Peter Reilly
 Phillip Wells
 Pierre Delisle

WHATSNEW

@@ -16,6 +16,8 @@ Fixed bugs:
 * AntClassLoader did not isolate resources when isolate was set. Bugzilla report 38747.
 * Diagnostics broken when using java 1.4. Bugzilla report 40395.
 * Exception reporting in <copy> was broken. Bugzilla report 40300.
+* Handling of corrupt tar files, TarInputStream.read() never returns EOF.
+  Bugzilla report 39924.
 
 Other changes:
 --------------

contributors.xml

@@ -747,6 +747,10 @@
     <first>Peter</first>
     <last>Donald</last>
   </name>
+  <name>
+    <first>Peter</first>
+    <last>Hulst</last>
+  </name>
   <name>
     <first>Peter</first>
     <last>Reilly</last>

src/main/org/apache/tools/tar/TarBuffer.java

@@ -271,6 +271,12 @@ public class TarBuffer {
             // Thanks to 'Yohann.Roussel@alcatel.fr' for this fix.
             //
             if (numBytes == -1) {
+                if (offset == 0) {
+                    // Ensure that we do not read gigabytes of zeros
+                    // for a corrupt tar file.
+                    // See http://issues.apache.org/bugzilla/show_bug.cgi?id=39924
+                    return false;
+                }
                 // However, just leaving the unread portion of the buffer dirty does
                 // cause problems in some cases.  This problem is described in
                 // http://issues.apache.org/bugzilla/show_bug.cgi?id=29877