You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@commons.apache.org by "Gary Gregory (JIRA)" <ji...@apache.org> on 2019/07/06 15:12:00 UTC

[jira] [Commented] (BCEL-309) NegativeArraySizeException when Code attribute length is negative

    [ https://issues.apache.org/jira/browse/BCEL-309?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16879697#comment-16879697 ] 

Gary Gregory commented on BCEL-309:
-----------------------------------

The {{Hello}} class file you provided is not in a Java package, therefore I cannot add it along with all of your other classes with the exact same unpackaged class name :( to our {{src/test/resources}} folder.

It would be great if you could provide class files in a package named after _something_ like jqf_0, jqf_1, and son on. This would allow us to add these files as {{src/test/resources/jqf_0/Hello.class}}, {{src/test/resources/jqf_1/Hello.class}}, and so on.

> NegativeArraySizeException when Code attribute length is negative
> -----------------------------------------------------------------
>
>                 Key: BCEL-309
>                 URL: https://issues.apache.org/jira/browse/BCEL-309
>             Project: Commons BCEL
>          Issue Type: Bug
>          Components: Parser
>    Affects Versions: 6.2
>            Reporter: Rohan Padhye
>            Priority: Major
>         Attachments: Hello.class
>
>
> Class parser throws an undocumented NegativeArraySizeException when parsing a malformed class file.
> h1. Steps to reproduce:
>  
>  
> Attempt to parse the attached file "Hello.class" using the API
> org.apache.bcel.classfile.ClassParser.parse(java.io.InputStream)
>  
> The file Hello.class was generated automatically by the fuzzer JQF ([https://github.com/rohanpadhye/jqf]).
> h2. Expected output:
> ClassFormatException should be thrown as the class file is malformed.
> h2. Observed output:
> Undocumented run-time exception is thrown:
> java.lang.NegativeArraySizeException
>  at org.apache.bcel.classfile.Code.<init>(Code.java:75)
>  at org.apache.bcel.classfile.Attribute.readAttribute(Attribute.java:220)
>  at org.apache.bcel.classfile.FieldOrMethod.<init>(FieldOrMethod.java:109)
>  at org.apache.bcel.classfile.Method.<init>(Method.java:82)
>  at org.apache.bcel.classfile.ClassParser.readMethods(ClassParser.java:294)
>  at org.apache.bcel.classfile.ClassParser.parse(ClassParser.java:153)
>  
>  
> This is probably because the length of the Code attribute in a method is read as a 4-byte signed integer, an an array of that size is allocated without checking to see if the integer is negative.
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)