You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@xmlbeans.apache.org by "Joshua Blatt (JIRA)" <xm...@xml.apache.org> on 2005/03/02 18:31:57 UTC
[jira] Updated: (XMLBEANS-115) ArrayIndexOutOfBounds test case and patch for version 1.0.3
[ http://issues.apache.org/jira/browse/XMLBEANS-115?page=history ]
Joshua Blatt updated XMLBEANS-115:
----------------------------------
Attachment: xmlbeans_arrayindexoutofbounds_test.tar.gz
(1) tar xvf xmlbeans_arrayindexoutofbounds_test.tar.gz
(2) cd xmlbeans_arrayindexoutofbounds_test
(3) cat README
> ArrayIndexOutOfBounds test case and patch for version 1.0.3
> -----------------------------------------------------------
>
> Key: XMLBEANS-115
> URL: http://issues.apache.org/jira/browse/XMLBEANS-115
> Project: XMLBeans
> Type: Bug
> Components: XmlObject
> Versions: Version 1.0.3
> Environment: JDK 1.4.2, Redhat Enterprise Linux 3.0
> Reporter: Joshua Blatt
> Attachments: xmlbeans_arrayindexoutofbounds_test.tar.gz
>
> We've seen intermittent ArrayIndexOutOfBounds exceptions thrown by xmlbeans version 1.0.3 in our production environment (JDK 1.4.2, Redhat Enterprise Linux 3.0). A typical stack trace looks like this:
>
> Caused by: java.lang.ArrayIndexOutOfBoundsException
> at java.lang.System.arraycopy(Native Method) at org.apache.xmlbeans.impl.store.Saver$TextSaver.replace(Saver.java:2057)
> at org.apache.xmlbeans.impl.store.Saver$TextSaver.entitizeContent(Saver.java:1890)
> at org.apache.xmlbeans.impl.store.Saver$TextSaver.emitContainer(Saver.java:1369)
> at org.apache.xmlbeans.impl.store.Saver.processContainer(Saver.java:777)
> at org.apache.xmlbeans.impl.store.Saver.process(Saver.java:520)
> at org.apache.xmlbeans.impl.store.Saver$TextSaver.ensure(Saver.java:1660)
> at org.apache.xmlbeans.impl.store.Saver$TextSaver.read(Saver.java:2150)
> at org.apache.xmlbeans.impl.store.Saver$TextReader.read(Saver.java:2273)
> at org.apache.xmlbeans.impl.store.Cursor.save(Cursor.java:3130)
> at org.apache.xmlbeans.impl.values.XmlObjectBase.save(XmlObjectBase.java:166)
> at org.apache.xmlbeans.impl.values.XmlObjectBase.save(XmlObjectBase.java:178)
> at com.overture.service.common.xml.Utils.toString(Utils.java:143)
> ... 31 more
>
> Looking at the org.apache.xmlbeans.impl.store.Saver$TextSaver.replace
> implementation, it's pretty clear that there's a bug in this code. When reserved xml characters like '&', '<', etc. are replaced by their "&", "<", etc. equivalents, all the characters in the _buf buffer are shuffled over to make room for the extra characters. The shuffle, however, does not wrap around to the beginning of the buffer if the extra length required would exceed _buf.length. The result is an intermittent buffer overflow that is more likely the more reserved characters are present in the input.
> The output below is from a diagnostic System.err.println added to the TextSaver.replace method running our test case:
>
> [java] _out = 0, _in = 8472, i =7496, _buf.length = 16384, dCch = 9, _free = 7912, replacement = <![CDATA[&
> [java] _out = 8192, _in = 9754, i =9233, _buf.length = 16384, dCch = 9, _free = 14822, replacement = <![CDATA[>
> [java] _out = 8192, _in = 11269, i =10514, _buf.length = 16384, dCch = 9, _free = 13307, replacement = <![CDATA[
> [java] _out = 8192, _in = 12838, i =12029, _buf.length = 16384, dCch = 9, _free = 11738, replacement = <![CDATA[&
> [java] _out = 8192, _in = 14241, i =13598, _buf.length = 16384, dCch = 9, _free = 10335, replacement = <![CDATA[?
> [java] _out = 8192, _in = 15341, i =15002, _buf.length = 16384, dCch = 9, _free = 9235, replacement = <![CDATA[&
> [java] _out = 8192, _in = 16115, i =16101, _buf.length = 16384, dCch = 4, _free = 8461, replacement = &
> [java] _out = 8192, _in = 16119, i =16109, _buf.length = 16384, dCch = 4, _free = 8457, replacement = &
> [java] _out = 8192, _in = 16123, i =16114, _buf.length = 16384, dCch = 3, _free = 8453, replacement = <
> [java] _out = 8192, _in = 16126, i =16118, _buf.length = 16384, dCch = 4, _free = 8450, replacement = &
> [java] _out = 8192, _in = 16130, i =16125, _buf.length = 16384, dCch = 3, _free = 8446, replacement = <
> [java] _out = 8192, _in = 16133, i =16130, _buf.length = 16384, dCch = 4, _free = 8443, replacement = &
> [java] _out = 8192, _in = 16137, i =16136, _buf.length = 16384, dCch = 3, _free = 8439, replacement = <
> [java] _out = 0, _in = 1238, i =505, _buf.length = 16384, dCch = 9, _free = 15146, replacement = <![CDATA[<
> [java] _out = 0, _in = 2140, i =2003, _buf.length = 16384, dCch = 9, _free = 14244, replacement = <![CDATA[
> [java] _out = 0, _in = 3041, i =2904, _buf.length = 16384, dCch = 9, _free = 13343, replacement = <![CDATA[?
> [java] _out = 0, _in = 4658, i =3806, _buf.length = 16384, dCch = 9, _free = 11726, replacement = <![CDATA[&
> [java] _out = 0, _in = 6069, i =5422, _buf.length = 16384, dCch = 9, _free = 10315, replacement = <![CDATA[
> [java] _out = 0, _in = 7485, i =6831, _buf.length = 16384, dCch = 9, _free = 8899, replacement = <![CDATA[&
> [java] _out = 0, _in = 8513, i =8246, _buf.length = 16384, dCch = 9, _free = 7871, replacement = <![CDATA[&
> [java] _out = 8192, _in = 9393, i =9275, _buf.length = 16384, dCch = 9, _free = 15183, replacement = <![CDATA[
> [java] _out = 8192, _in = 10309, i =10154, _buf.length = 16384, dCch = 9, _free = 14267, replacement = <![CDATA[&
> [java] _out = 0, _in = 8732, i =7756, _buf.length = 16384, dCch = 9, _free = 7652, replacement = <![CDATA[&
> [java] _out = 8192, _in = 10014, i =9493, _buf.length = 16384, dCch = 9, _free = 14562, replacement = <![CDATA[>
> [java] _out = 8192, _in = 11529, i =10774, _buf.length = 16384, dCch = 9, _free = 13047, replacement = <![CDATA[
> [java] _out = 8192, _in = 13098, i =12289, _buf.length = 16384, dCch = 9, _free = 11478, replacement = <![CDATA[&
> [java] _out = 8192, _in = 14501, i =13858, _buf.length = 16384, dCch = 9, _free = 10075, replacement = <![CDATA[?
> [java] _out = 8192, _in = 15601, i =15262, _buf.length = 16384, dCch = 9, _free = 8975, replacement = <![CDATA[&
> [java] _out = 8192, _in = 16375, i =16361, _buf.length = 16384, dCch = 4, _free = 8201, replacement = &
> [java] _out = 8192, _in = 16379, i =16369, _buf.length = 16384, dCch = 4, _free = 8197, replacement = &
> [java] _out = 8192, _in = 16383, i =16374, _buf.length = 16384, dCch = 3, _free = 8193, replacement = <
> [java] java.lang.ArrayIndexOutOfBoundsException
> [java] at java.lang.System.arraycopy(Native Method)
> [java] at
> org.apache.xmlbeans.impl.store.Saver$TextSaver.replace(Saver.java:2058)
> [java] at
> org.apache.xmlbeans.impl.store.Saver$TextSaver.entitizeContent(Saver.jav
> a:1886)
> [java] at
> org.apache.xmlbeans.impl.store.Saver$TextSaver.emitContainer(Saver.java:
> 1367)
> [java] at
> org.apache.xmlbeans.impl.store.Saver.processContainer(Saver.java:775)
> [java] at org.apache.xmlbeans.impl.store.Saver.process(Saver.java:518)
> [java] at
> org.apache.xmlbeans.impl.store.Saver$TextSaver.ensure(Saver.java:1658)
> [java] at
> org.apache.xmlbeans.impl.store.Saver$TextSaver.read(Saver.java:2151)
> [java] at
> org.apache.xmlbeans.impl.store.Saver$TextReader.read(Saver.java:2274)
> [java] at org.apache.xmlbeans.impl.store.Cursor.save(Cursor.java:3118)
> [java] at
> org.apache.xmlbeans.impl.values.XmlObjectBase.save(XmlObjectBase.java:16
> 6)
> [java] at
> com.overture.test.XmlBeansTest$WorkerThread.run(XmlBeansTest.java:88)
> [java] died at iteration: 32
>
> Attached is the test case that consistently reproduces this problem.
> Inside the tarball is also a patch that has fixed the problem in our environment. Check out the included README for details on both the test case and the fix.
>
> I think its also possible that this is the cause of this unresolved bug in your bugzilla: http://issues.apache.org/jira/browse/XMLBEANS-87
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@xmlbeans.apache.org
For additional commands, e-mail: dev-help@xmlbeans.apache.org