Release to Master

[adamhathcock]

This pull request introduces several important improvements to the robustness and security of archive decompression, especially for BZip2, Deflate64, Reduce, Shrink, and ZStandard formats. The changes focus on improved error handling, preventing out-of-memory issues, and ensuring buffer sizes are appropriate for the formats being processed.

Security and Robustness Improvements

• Added explicit bounds checking and error handling in BZip2 and Deflate64 decompression routines to prevent out-of-bounds reads and provide clear error messages when encountering invalid or corrupted data. [1] [2] [3] [4] [5] [6] [7] [8] [9]
• Improved error handling in ZIP streaming header reading by catching EndOfStreamException and throwing an InvalidFormatException with a descriptive message.
• Added checks in Reduce decompression streams to detect when compressed input is exhausted before the expected uncompressed size is reached, throwing an InvalidFormatException in such cases. [1] [2] [3] [4] [5]

Shrink Decompression Hardening

• Refactored ShrinkStream to avoid pre-allocating buffers based on declared compressed size, instead reading actual compressed data from the stream. This prevents possible OutOfMemoryException attacks with crafted archives and ensures the stream is safely bounded. [1] [2] [3] [4]
• Added validation to ensure the declared uncompressed size for Shrink streams does not exceed int.MaxValue, throwing an exception if it does.

Buffer Size and Format Detection Adjustments

• Reduced the default RewindableBufferSize from 160KB to 80KB, clarifying that formats needing larger buffers (e.g., BZip2, ZStandard) specify their own requirements. Updated documentation accordingly. [1] [2]
• Optimized TarReader ring buffer allocation strategy: instead of allocating TarWrapper.MaximumRewindBufferSize (~900 KB) for every non-seekable stream regardless of format, the reader now starts with a small default buffer (80 KB) for cheap magic-byte detection, then grows the buffer lazily to the matched wrapper's MinimumRewindBufferSize only when needed (e.g., ~900 KB for BZip2, smaller for GZip/plain tar). This reduces per-reader memory usage significantly in high-concurrency scenarios when most archives are not BZip2-compressed. [1] [2] [3] [4]
• Added SharpCompressStream.EnsureMinimumRingBufferCapacity(int) to support lazy ring buffer growth, preserving already-buffered bytes when the buffer is enlarged.
• Added ZStandard-specific constants to clarify maximum block size and recommended input buffer size for streaming decompression.

[Copilot]

Pull request overview

This PR hardens archive decompression and tar format detection, focusing on safer handling of malformed/crafted inputs (to avoid OOB reads / OOM) and on ensuring non-seekable tar streams have adequate rewind buffering for formats like BZip2 and ZStandard.

Changes:

• Added bounds checks / clearer failures in Deflate64 and BZip2 decoding paths, plus improved ZIP streaming header EOF handling.
• Refactored Shrink decompression to avoid allocating based on untrusted “compressed size”, and added malformed-input regression tests (Reduce/Deflate64/BZip2/Shrink).
• Reworked tar detection buffering: per-wrapper minimum rewind sizes (BZip2/ZStandard) and a maximum used during tar probing; lowered the global default rewindable buffer size.

Reviewed changes

Copilot reviewed 20 out of 20 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
tests/SharpCompress.Test/Tar/TarReaderTests.cs	Adds regression tests for non-seekable tar.bz2 reading and TarWrapper buffer sizing defaults.
tests/SharpCompress.Test/Streams/SharpCompressStreamSeekTest.cs	Adds tests covering StartRecording(minBufferSize) behavior and default buffer usage.
tests/SharpCompress.Test/MalformedInputTests.cs	Adds malformed-input tests covering Reduce “decompression bomb”, Deflate64 invalid Huffman data, BZip2 invalid symbol, and Shrink OOM attempt.
src/SharpCompress/Readers/Tar/TarReader.Factory.cs	Ensures non-seekable tar reader probing allocates a ring buffer sized to TarWrapper.MaximumRewindBufferSize.
src/SharpCompress/Providers/Default/ShrinkCompressionProvider.cs	Updates Shrink provider to use new ShrinkStream API (now only passes output size).
src/SharpCompress/packages.lock.json	Updates locked dependency resolutions for ILLink tasks.
src/SharpCompress/IO/SharpCompressStream.cs	Extends StartRecording to accept an optional minimum ring buffer size and documents the behavior.
src/SharpCompress/IO/SeekableSharpCompressStream.cs	Updates StartRecording override signature to match base (parameter ignored for seekable streams).
src/SharpCompress/Factories/TarWrapper.cs	Adds MinimumRewindBufferSize per wrapper, sets BZip2/ZStandard requirements, and exposes MaximumRewindBufferSize.
src/SharpCompress/Factories/TarFactory.cs	Uses TarWrapper.MaximumRewindBufferSize when starting recording for tar probing.
src/SharpCompress/Compressors/ZStandard/ZstandardConstants.cs	Adds constants for max block size and recommended streaming input buffer size.
src/SharpCompress/Compressors/Shrink/ShrinkStream.cs	Refactors ShrinkStream to avoid prealloc based on declared compressed size; reads actual compressed bytes instead; validates output size <= int.MaxValue.
src/SharpCompress/Compressors/Shrink/ShrinkStream.Async.cs	Mirrors ShrinkStream changes in async path (read actual compressed bytes, then decompress).
src/SharpCompress/Compressors/Reduce/ReduceStream.cs	Detects early exhaustion of compressed input and throws InvalidFormatException instead of producing unbounded output.
src/SharpCompress/Compressors/Reduce/ReduceStream.Async.cs	Async parity for ReduceStream early-exhaustion detection.
src/SharpCompress/Compressors/Deflate64/HuffmanTree.cs	Adds bounds check to prevent out-of-range table writes on malformed Huffman data.
src/SharpCompress/Compressors/BZip2/CBZip2InputStream.cs	Adds bounds checks for selector/symbol indices to prevent OOB on malformed BZip2 streams.
src/SharpCompress/Compressors/BZip2/CBZip2InputStream.Async.cs	Async parity for the new BZip2 bounds checks.
src/SharpCompress/Common/Zip/StreamingZipHeaderFactory.cs	Converts EndOfStreamException into InvalidFormatException with a clearer message during header reads.
src/SharpCompress/Common/Constants.cs	Reduces default RewindableBufferSize to 80KB and updates docs to point to per-format tar wrapper sizing.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

ValidateRequiredSizes enforces that CompressionContext.InputSize is provided, but the updated Shrink implementation no longer uses context.InputSize (only OutputSize) and reads the entire source stream. Either use InputSize to bound the compressed read (and keep the validation/messages accurate), or relax the validation + update the remarks/DecompressionContextRequirementDescription to reflect the real requirements.

[adamhathcock]

@copilot apply changes based on this feedback

[Copilot]

Fixed in 765f281. Added ValidateOutputSize to CompressionProviderBase that only checks OutputSize >= 0. ShrinkCompressionProvider now calls ValidateOutputSize instead of ValidateRequiredSizes, and the remarks and DecompressionContextRequirementDescription have been updated to reflect that only OutputSize (uncompressed size) is required — InputSize is not needed since ShrinkStream reads directly from the bounded source stream.

[Copilot]

minBufferSize is ignored when _ringBuffer was preallocated in the constructor (e.g., via SharpCompressStream.Create(stream, bufferSize: ...)). This makes the new StartRecording(minBufferSize) parameter ineffective in those cases; consider ensuring the existing ring buffer capacity is at least minBufferSize (or documenting that minBufferSize only applies when no ring buffer exists yet).

[adamhathcock]

@copilot apply changes based on this feedback

[Copilot]

Fixed in 765f281. StartRecording now calls EnsureMinimumRingBufferCapacity(minBufferSize.Value) when the ring buffer was pre-allocated but smaller than the requested minimum, making the minBufferSize parameter effective regardless of how the stream was constructed.

[Copilot]

For non-seekable inputs this forces the ring buffer to TarWrapper.MaximumRewindBufferSize (~900KB due to BZip2) even when the archive is e.g. tar/tar.gz. This can be a noticeable per-reader memory increase in high-concurrency scenarios; consider a strategy that allocates only the matched wrapper’s required size (or a growable ring buffer) after cheap magic detection, while still preserving the ability to rewind the initial probe bytes.

[adamhathcock]

@copilot apply changes based on this feedback

[Copilot]

Applied in eb2126e. The fix uses a two-phase approach:

1. TarReader.OpenReader (both sync and async) now creates the initial SharpCompressStream with only the default 80 KB ring buffer instead of MaximumRewindBufferSize (~900 KB).
2. After the cheap magic-byte IsMatch check identifies the compression format, EnsureMinimumRingBufferCapacity is called with the matched wrapper's MinimumRewindBufferSize. This copies the small number of already-buffered bytes (at most a few hundred bytes from the None-wrapper probe) into a new, larger ring buffer only when actually needed (i.e., only for BZip2 and ZStandard formats).

A plain tar or tar.gz stream now allocates ~80 KB; only tar.bz2 allocates ~900 KB. The EnsureMinimumRingBufferCapacity method is a no-op for seekable streams (SeekableSharpCompressStream) since they use native seeking with no ring buffer.

[Copilot]

Same concern as the async path: on non-seekable streams this makes every TarReader allocate at least TarWrapper.MaximumRewindBufferSize (~900KB) regardless of actual compression type. If many readers are opened concurrently, this may increase memory usage significantly; consider allocating based on the matched wrapper’s minimum (or making the buffer growable) after initial detection.

[Copilot]

Pull request overview

Copilot reviewed 21 out of 21 changed files in this pull request and generated 8 comments.

Comments suppressed due to low confidence (1)

src/SharpCompress/Compressors/Shrink/ShrinkStream.cs:45

• CanSeek returns true, but Position's setter throws NotImplementedException (and Seek(...) is also unimplemented). This violates the Stream contract and can break callers that branch on CanSeek. Since this stream is fully in-memory after decompression, consider implementing Seek/Position properly (or set CanSeek to false).

    public override bool CanRead => true;

    public override bool CanSeek => true;

    public override bool CanWrite => false;

    public override long Length => _uncompressedSize;

    public override long Position
    {
        get => _position;
        set => throw new NotImplementedException();
    }

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

StartRecording(minBufferSize) only uses minBufferSize when _ringBuffer is null. If the stream was created via SharpCompressStream.Create(..., bufferSize: ...) (which pre-allocates _ringBuffer), a larger minBufferSize is silently ignored and a later rewind can still overflow. Consider ensuring the existing ring buffer capacity is at least the requested minimum (e.g., call EnsureMinimumRingBufferCapacity(size) here) or throwing when minBufferSize exceeds the current capacity.

[Copilot]

The initial bufferSize is computed with Math.Max(readerOptions.RewindableBufferSize ?? 0, Constants.RewindableBufferSize), which makes it impossible to set a per-stream rewindable buffer smaller than the global default even though Constants.RewindableBufferSize is documented as overridable per stream. Consider using readerOptions.RewindableBufferSize ?? Constants.RewindableBufferSize for the initial buffer (and keep the later growth to wrapper.MinimumRewindBufferSize for formats that need it).

Suggested change

	)
	);
	long pos = sharpCompressStream.Position;
	foreach (var wrapper in TarWrapper.Wrappers)
	bufferSize: readerOptions.RewindableBufferSize ?? Common.Constants.RewindableBufferSize

[Copilot]

These updated docs state that TarWrapper.MaximumRewindBufferSize is used “at stream construction” to ensure correct capacity is allocated upfront, but TarReader now grows the buffer lazily via EnsureMinimumRingBufferCapacity after wrapper matching (and TarFactory allocates during StartRecording, not construction). Consider adjusting the wording to reflect the actual behavior so consumers aren’t misled about when/where the max size is applied.

Suggested change

	/// <c>TarWrapper.MaximumRewindBufferSize</c> is used at stream construction
	/// to ensure the correct capacity is allocated upfront.
	/// <c>TarWrapper.MaximumRewindBufferSize</c> may be used to grow the rewind
	/// buffer as needed during format detection or recording rather than
	/// allocating the maximum capacity upfront at stream construction.

[Copilot]

Calling StartRecording(TarWrapper.MaximumRewindBufferSize) here forces allocating the maximum (~900KB due to BZip2) for every stream, even when the wrapper match fails early (e.g., plain tar/gzip) and even for seekable streams (since this path uses new SharpCompressStream(stream) rather than SharpCompressStream.Create). Consider the same two-phase strategy as TarReader.Factory: start with a small buffer, only grow when wrapper.IsMatch(...) succeeds (and/or use SharpCompressStream.Create to avoid ring buffering for seekable streams).

[Copilot]

Calling StartRecording(TarWrapper.MaximumRewindBufferSize) here forces allocating the maximum (~900KB due to BZip2) for every stream, even when the wrapper match fails early and even for seekable streams (since this path uses new SharpCompressStream(stream) rather than SharpCompressStream.Create). Consider starting with a small buffer and only growing when IsMatchAsync succeeds (or switching to SharpCompressStream.Create to avoid buffering for seekable streams).

[Copilot]

Calling StartRecording(TarWrapper.MaximumRewindBufferSize) here forces allocating the maximum ring buffer for every stream opened via TarFactory.OpenReader, even when the archive isn’t BZip2/ZStd. Consider a lazy growth approach (small initial buffer, grow only after wrapper.IsMatch(...) succeeds) to preserve the memory savings introduced in TarReader.Factory.

[Copilot]

Calling StartRecording(TarWrapper.MaximumRewindBufferSize) here forces allocating the maximum ring buffer for every stream opened via TarFactory.OpenAsyncReader, even when the archive isn’t BZip2/ZStd. Consider a lazy growth approach (small initial buffer, grow only after IsMatchAsync succeeds) to avoid the per-reader ~900KB allocation in the common case.

[Copilot]

Pull request overview

Copilot reviewed 21 out of 21 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 20 out of 20 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.