You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "Thomas Neidhart (Jira)" <ji...@apache.org> on 2020/02/13 12:29:00 UTC

[jira] [Commented] (BCEL-309) NegativeArraySizeException when Code attribute length is negative

    [ https://issues.apache.org/jira/browse/BCEL-309?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17036177#comment-17036177 ] 

Thomas Neidhart commented on BCEL-309:
--------------------------------------

It is common practice to read the code_length value e.g. using readInt().

 

The JVM specification mandates that the code_length does not exceed 65536, see [https://docs.oracle.com/javase/specs/jvms/se7/html/jvms-4.html#jvms-4.9.1]

 

Also when running javap on the class it generates an error:

 

{code}

public static void main(java.lang.String[]);
 descriptor: ([Ljava/lang/String;)V
 flags: (0x0009) ACC_PUBLIC, ACC_STATIC
Error: Unexpected or invalid value for Code attribute
Error: java.lang.reflect.InvocationTargetException
 Code: length = 0x25
 00 02 00 F5 3D 85 1B FD B2 00 02 12 03 B6 00 04
 B1 00 00 00 01 00 0A 00 00 00 0A 00 02 00 00 00
 03 00 08 00 04

{code}

 

Also proguard can not process this class file, I would not consider this as a bug and rather close the issue as won't fix.

The tool that processed this class file is more likely to contain a bug.

> NegativeArraySizeException when Code attribute length is negative
> -----------------------------------------------------------------
>
>                 Key: BCEL-309
>                 URL: https://issues.apache.org/jira/browse/BCEL-309
>             Project: Commons BCEL
>          Issue Type: Bug
>          Components: Parser
>    Affects Versions: 6.2
>            Reporter: Rohan Padhye
>            Priority: Major
>         Attachments: Hello.class
>
>
> Class parser throws an undocumented NegativeArraySizeException when parsing a malformed class file.
> h1. Steps to reproduce:
>  
>  
> Attempt to parse the attached file "Hello.class" using the API
> org.apache.bcel.classfile.ClassParser.parse(java.io.InputStream)
>  
> The file Hello.class was generated automatically by the fuzzer JQF ([https://github.com/rohanpadhye/jqf]).
> h2. Expected output:
> ClassFormatException should be thrown as the class file is malformed.
> h2. Observed output:
> Undocumented run-time exception is thrown:
> java.lang.NegativeArraySizeException
>  at org.apache.bcel.classfile.Code.<init>(Code.java:75)
>  at org.apache.bcel.classfile.Attribute.readAttribute(Attribute.java:220)
>  at org.apache.bcel.classfile.FieldOrMethod.<init>(FieldOrMethod.java:109)
>  at org.apache.bcel.classfile.Method.<init>(Method.java:82)
>  at org.apache.bcel.classfile.ClassParser.readMethods(ClassParser.java:294)
>  at org.apache.bcel.classfile.ClassParser.parse(ClassParser.java:153)
>  
>  
> This is probably because the length of the Code attribute in a method is read as a 4-byte signed integer, an an array of that size is allocated without checking to see if the integer is negative.
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)