You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by "Ronald Boettcher (JIRA)" <ji...@apache.org> on 2016/07/15 11:07:20 UTC
[jira] [Updated] (SANTUARIO-450) Array index overflow in Base64
utility class
[ https://issues.apache.org/jira/browse/SANTUARIO-450?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ronald Boettcher updated SANTUARIO-450:
---------------------------------------
Attachment: Base64.java.patch
Usage of Patch:
# go to Santuario xmlsec 2.0.7 source root directory
# save or copy Base64.java.patch to this directory
# call patch command (i have GNU patch 2.7.1): {code:bash}~/src/java/xmlsec-2.0.7$ patch src/main/java/org/apache/xml/security/utils/Base64.java <Base64.java.patch{code}
> Array index overflow in Base64 utility class
> --------------------------------------------
>
> Key: SANTUARIO-450
> URL: https://issues.apache.org/jira/browse/SANTUARIO-450
> Project: Santuario
> Issue Type: Bug
> Components: Java
> Affects Versions: Java 2.0.7
> Environment: JEE6 with Java 7
> Reporter: Ronald Boettcher
> Assignee: Colm O hEigeartaigh
> Attachments: Base64.java.patch
>
>
> We are using Santuarios XMLEncryption with aes256-cbc to reliably encrypt archival data and storing it on disc/file system. At arbitrary large XML objects (i.e. XML elements with large content; this is about >300 MB) the process of encryption fails with an java.lang.NegativeArraySizeException, because of using int instead of long for calculating the number of bits in preparation of Base64-Encoding.
> This is an example of our stacktrace:
> {code:title=Stacktrace|borderStyle=dashed}
> archiveSubmission(): Interner Fehler
> 176 java.lang.NegativeArraySizeException
> 177 at org.apache.xml.security.utils.Base64.encode(Base64.java:384)
> 178 at org.apache.xml.security.utils.Base64.encode(Base64.java:307)
> 179 at org.apache.xml.security.encryption.XMLCipher.encryptData(XMLCipher.java:1230)
> 180 at org.apache.xml.security.encryption.XMLCipher.encryptData(XMLCipher.java:1136)
> {code}
> I just downloaded the source of the latest release 2.0.7, found the location of the bug, fixed, compiled and tested it with our environment.
> Here is what I changed in the code to diminish the array index overflow (basically it is a simple issue about just to {color:red}*change an int to a long*{color} when calculating the number of bits, i.e. multiply with 8):
> {code:title=~/src/java/xmlsec-2.0.7/src/main/java/org/apache/xml/security/utils$ diff -Naur Base64.java Base64.java.patched|borderStyle=solid}
> --- Base64.java 2016-07-14 19:21:15.000699625 +0200
> +++ Base64.java.patched 2016-07-14 19:21:07.388596329 +0200
> @@ -369,14 +369,14 @@
> return null;
> }
>
> - int lengthDataBits = binaryData.length * EIGHTBIT;
> - if (lengthDataBits == 0) {
> + long lengthDataBits = ((long) binaryData.length) * ((long) EIGHTBIT);
> + if (lengthDataBits == 0L) {
> return "";
> }
>
> - int fewerThan24bits = lengthDataBits % TWENTYFOURBITGROUP;
> - int numberTriplets = lengthDataBits / TWENTYFOURBITGROUP;
> - int numberQuartet = fewerThan24bits != 0 ? numberTriplets + 1 : numberTriplets;
> + long fewerThan24bits = lengthDataBits % ((long) TWENTYFOURBITGROUP);
> + int numberTriplets = (int) (lengthDataBits / TWENTYFOURBITGROUP);
> + int numberQuartet = fewerThan24bits != 0L ? numberTriplets + 1 : numberTriplets;
> int quartesPerLine = length / 4;
> int numberLines = (numberQuartet - 1) / quartesPerLine;
> char encodedData[] = null;
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)