You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@xalan.apache.org by "Martin Suter (JIRA)" <xa...@xml.apache.org> on 2007/02/12 16:19:05 UTC
[jira] Created: (XALANJ-2366) CLONE -ArrayIndexOutOfBoundsException
from integer overflow in WriterToUTF8Buffered#write()
CLONE -ArrayIndexOutOfBoundsException from integer overflow in WriterToUTF8Buffered#write()
-------------------------------------------------------------------------------------------
Key: XALANJ-2366
URL: https://issues.apache.org/jira/browse/XALANJ-2366
Project: XalanJ2
Issue Type: Bug
Components: Serialization
Affects Versions: 2.6
Environment: Operating System: All
Platform: All
Reporter: Martin Suter
Assigned To: Xalan Developers Mailing List
Fix For: 2.7
The rework to chunk buffers of data in the write(char [], int, int)
method can lead to an integer overflow in the computation of the end_chunk
then start_chunk variables. When the latter value becomes negative it
leads to an illegal array reference into the chars array. With the numbers
in play a data block of 4MB can lead to this situation.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: xalan-dev-unsubscribe@xml.apache.org
For additional commands, e-mail: xalan-dev-help@xml.apache.org
[jira] Updated: (XALANJ-2366) CLONE -ArrayIndexOutOfBoundsException
from integer overflow in WriterToUTF8Buffered#write()
Posted by "Martin Suter (JIRA)" <xa...@xml.apache.org>.
[ https://issues.apache.org/jira/browse/XALANJ-2366?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Martin Suter updated XALANJ-2366:
---------------------------------
Fix Version/s: (was: 2.7)
Priority: Critical
Description:
if the length of the incoming string in the write method is greater than BYTES_MAX, the string will broken up in chunks...
and an ArrayIndexOutOfBoundsException will be thrown, because:
s.getChars(start_chunk,end_chunk,m_inputChars,0);
start_chunk = 0
end_chunk = 6643
m_inputchars = char[5463] (!)
the calculation of 'split' is wrong.. it must be:
int split = 1 + length / CHARS_MAX;
was:
The rework to chunk buffers of data in the write(char [], int, int)
method can lead to an integer overflow in the computation of the end_chunk
then start_chunk variables. When the latter value becomes negative it
leads to an illegal array reference into the chars array. With the numbers
in play a data block of 4MB can lead to this situation.
Affects Version/s: (was: 2.6)
2.7
> CLONE -ArrayIndexOutOfBoundsException from integer overflow in WriterToUTF8Buffered#write()
> -------------------------------------------------------------------------------------------
>
> Key: XALANJ-2366
> URL: https://issues.apache.org/jira/browse/XALANJ-2366
> Project: XalanJ2
> Issue Type: Bug
> Components: Serialization
> Affects Versions: 2.7
> Environment: Operating System: All
> Platform: All
> Reporter: Martin Suter
> Assigned To: Xalan Developers Mailing List
> Priority: Critical
>
> if the length of the incoming string in the write method is greater than BYTES_MAX, the string will broken up in chunks...
> and an ArrayIndexOutOfBoundsException will be thrown, because:
> s.getChars(start_chunk,end_chunk,m_inputChars,0);
> start_chunk = 0
> end_chunk = 6643
> m_inputchars = char[5463] (!)
> the calculation of 'split' is wrong.. it must be:
> int split = 1 + length / CHARS_MAX;
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: xalan-dev-unsubscribe@xml.apache.org
For additional commands, e-mail: xalan-dev-help@xml.apache.org