Optionally Respect Header Size when Decompressing #550

New Issue

Open

opened 2026-01-29 22:13:38 +00:00 by claunia · 1 comment

claunia commented 2026-01-29 22:13:38 +00:00

Owner

Copy Link

Originally created by @sburmanoctopus on GitHub (Dec 13, 2022).

Hello!

Would it be possible to have an option to fail decompression if the actual size of a decompressed entry starts to go over the uncompressed size declared in the header during decompression?

Headers of the zip file are easily manipulated, and so the uncompressed size can be changed to something smaller.

When using SharpCompress, I found that the manipulated header was being used when reading TotalUncompressSize, but the archive would decompress to its original size regardless of what size the header said it should be.

I understand many people may not want this, so thought it might be something that could be done as an option (in ExtractionOptions maybe).

For now, we have coded a solution around this. But it would be great if there was a way to enforce the header size in SharpCompress itself for use in other projects.

Originally created by @sburmanoctopus on GitHub (Dec 13, 2022). Hello! Would it be possible to have an option to fail decompression if the actual size of a decompressed entry starts to go over the uncompressed size declared in the header during decompression? Headers of the zip file are easily manipulated, and so the uncompressed size can be changed to something smaller. When using SharpCompress, I found that the manipulated header was being used when reading TotalUncompressSize, but the archive would decompress to its original size regardless of what size the header said it should be. I understand many people may not want this, so thought it might be something that could be done as an option (in ExtractionOptions maybe). For now, we have coded a solution around this. But it would be great if there was a way to enforce the header size in SharpCompress itself for use in other projects.

claunia added the enhancementup for grabs labels 2026-01-29 22:13:38 +00:00

claunia commented 2026-01-29 22:13:38 +00:00

Author

Owner

Copy Link

@adamhathcock commented on GitHub (Dec 13, 2022):

Sounds like we should just blanket do that as a more security feature anyway. Invalid or malformed archives/headers should be exceptions thrown.

The option would be to not to this validation.

@adamhathcock commented on GitHub (Dec 13, 2022): Sounds like we should just blanket do that as a more security feature anyway. Invalid or malformed archives/headers should be exceptions thrown. The option would be to not to this validation.

claunia referenced this issue 2026-01-29 22:18:57 +00:00

[PR #550] [MERGED] Improve Code Quality 3 #1089

claunia referenced this issue 2026-01-29 22:18:58 +00:00

[PR #550] Improve Code Quality 3 #1093

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

adam/add-alternate-compressions

copilot/consolidate-readfully-readexact-logic

adam/make-nullable

copilot/fix-openentrystreamasync-memory-issue

release

adam/more-explode-async

copilot/fix-infinite-loop-rar-archive

adam/data-descriptor-fix

adam/fix-tests-with-proper-rewind

copilot/fix-data-descriptor-stream-bug

adam/lmza-investigation

adam/create-rar-async

adam/async-rar2

copilot/support-multi-threading-path

copilot/sub-pr-1132-again

adam/memory-perf

copilot/add-performance-benchmarking

copilot/sub-pr-1121

copilot/add-password-support-zip-files

copilot/add-so-optimized-zip-support

adam/rar-async-only

copilot/add-buffered-stream-async-read

copilot/sub-pr-1076

copilot/fix-decompression-exception

copilot/fix-archivefactory-issue

copilot/rationalize-sourcestream-volumes

adam/open-async

copilot/add-ace-archive-support

copilot/sub-pr-1040-again

adam/more-async-3

copilot/fix-tararchive-incomplete-iteration

adam/multi-threaded

copilot/sub-pr-1040

adam/awesome-copilot

copilot/fix-ziparchive-extraction-issue

copilot/fix-tararchive-open-crash

copilot/fix-tar-xz-file-reading-issue

copilot/setup-copilot-instructions

copilot/fix-decompression-performance-issue

copilot/convert-stream-access-to-async

adam/enable-agent

adam/async-deflate

adam/async-rar

adam/more-cleanup

adam/zstd

async-2

zstandard

net461-tests

dmg

async

build-netcore3

recycle-memory-stream

presentation

pax

netcore2

zip_encryption

dotnet-tool

tar_redux

native_zlib

Issue-197

system_buffers

TarNames

7zip_sfx

portable_crypto

WinRT

new_7zip

0.44.5

0.44.4

0.44.3

0.44.2

0.44.1

0.44.0

0.43.0

0.42.1

0.42.0

0.41.0

0.40.0

0.39.0

0.38.0

0.37.2

0.37.1

0.37.0

0.36.0

0.35.0

0.34.2

0.34.1

0.34.0

0.33.0

0.32.2

0.32.1

0.32

0.31

0.30.1

0.30

0.29

0.29.0

0.28.3

0.28.2

0.28.1

0.28

0.27.1

0.27

0.26

0.25.1

0.25

0.24

0.23

0.22

0.21.1

0.21

0.21.0

0.20.0

0.19.2

0.19.1

0.19

0.18.2

0.18.1

0.18

0.17.1

0.17.0

0.16.2

0.16.1

0.16.0

0.15.2

0.15.1

0.15.0

0.14.1

0.14.0

0.13.1

0.13.0

0.12.4

0.12.3

0.12.2

0.12.1

0.12.0

0.11.6

0.11.5

0.11.4

0.11.3

0.11.2

0.11.1

0.11

0.10.3

0.10.2

0.10.1.3

0.10.1.2

0.10.1.1

0.10.1

0.10

0.9

Labels

Clear labels

bug

duplicate

enhancement

feedback requested

not bug

pull-request

Mirrored from GitHub Pull Request

question

up for grabs

wontfix

No Label enhancement up for grabs

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

claunia

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/sharpcompress#550