getBytes does not validate ivLength, may throw NegativeArraySizeException

[AbdelrahmanWM]

Please agree to the following

• I have searched existing issues for duplicates
• I agree to follow this project's Code of Conduct

Summary

The getBytes method in CryptoByteArrayUtils does not validate the ivLength argument. If ivLength is larger than the input array length, the method will throw a NegativeArraySizeException when creating the result array.

System Setup

- Android: 35 (target SDK)
- Cryptomator: 1.13.0-SNAPSHOT

Cloud Type

No response

Steps to Reproduce

byte[] data = new byte[5];
CryptoByteArrayUtils.getBytes(data, 10);

Expected Behavior

An IllegalArgumentException should be thrown with a descriptive message like "ivLength must not exceed input array length".

Actual Behavior

NegativeArraySizeException is thrown.

Reproducibility

Always

Relevant Log Output

Anything else?

Target method

• Location: https://github.com/cryptomator/android/blob/develop/util/src/main/java/org/cryptomator/util/crypto/CryptoByteArrayUtils.java
• method:

public static byte[] getBytes(byte[] encryptedBytesWithIv, int ivLength) {
		if (encryptedBytesWithIv == null) {
			throw new IllegalArgumentException("Input array must not be null");
		}
		byte[] bytes = new byte[encryptedBytesWithIv.length - ivLength];
		System.arraycopy(encryptedBytesWithIv, ivLength, bytes, 0, bytes.length);
		return bytes;
	}

unit test used

@Test
		void testGetBytes_withIvLengthGreaterThanArrayLength_shouldThrow() {
			byte[] input = {1, 2, 3};
			int ivLength = 5; // greater than input length

			assertThrows(NegativeArraySizeException.class, () -> {
				CryptoByteArrayUtils.getBytes(input, ivLength);
			});
		}

[Sarim2022]

we can add a validation check before creating the array !!