@@ -27,6 +27,8 @@ Licensed to the Apache Software Foundation (ASF) under one or more
2727import org .apache .commons .compress .archivers .zip .ZipArchiveEntry ;
2828import org .apache .commons .compress .archivers .zip .ZipArchiveInputStream ;
2929import org .apache .commons .compress .utils .InputStreamStatistics ;
30+ import org .apache .logging .log4j .Logger ;
31+ import org .apache .poi .logging .PoiLogManager ;
3032import org .apache .poi .openxml4j .exceptions .NotOfficeXmlFileException ;
3133import org .apache .poi .util .IOUtils ;
3234import org .apache .poi .util .Internal ;
@@ -36,6 +38,8 @@ Licensed to the Apache Software Foundation (ASF) under one or more
3638@ Internal
3739public class ZipArchiveThresholdInputStream extends FilterInputStream {
3840
41+ private static final Logger LOG = PoiLogManager .getLogger (ZipArchiveThresholdInputStream .class );
42+
3943 private static final String MAX_ENTRY_SIZE_MSG =
4044 "Zip bomb detected! The file would exceed the max size of the expanded data in the zip-file.\n " +
4145 "This may indicates that the file is used to inflate memory usage and thus could pose a security risk.\n " +
@@ -112,11 +116,14 @@ private void checkThreshold() throws IOException {
112116 long rawSize ;
113117 try {
114118 rawSize = stats .getCompressedCount ();
115- } catch (NullPointerException e ) {
119+ } catch (Exception e ) {
116120 // this can happen with a very specially crafted file
117121 // see https://issues.apache.org/jira/browse/COMPRESS-598 for a related bug-report
118122 // therefore we try to handle this gracefully for now
119123 // this try/catch can be removed when COMPRESS-598 is fixed
124+ // March 2026: there is an unreleased change for COMPRESS-598 which changes the NPE
125+ // to a ZipException. To future proof the code, I will catch any exception here.
126+ LOG .warn ("Unable to get the compress count for this compressed stream meaning the zip bomb check can't be done" );
120127 rawSize = 0 ;
121128 }
122129
0 commit comments