commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gary Gregory (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (BCEL-309) NegativeArraySizeException when Code attribute length is negative
Date Sat, 25 Aug 2018 16:26:00 GMT

    [ https://issues.apache.org/jira/browse/BCEL-309?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16592644#comment-16592644
] 

Gary Gregory commented on BCEL-309:
-----------------------------------

We welcome pull requests with unit tests: https://github.com/apache/commons-bcel

> NegativeArraySizeException when Code attribute length is negative
> -----------------------------------------------------------------
>
>                 Key: BCEL-309
>                 URL: https://issues.apache.org/jira/browse/BCEL-309
>             Project: Commons BCEL
>          Issue Type: Bug
>          Components: Parser
>    Affects Versions: 6.2
>            Reporter: Rohan Padhye
>            Priority: Major
>         Attachments: Hello.class
>
>
> Class parser throws an undocumented NegativeArraySizeException when parsing a malformed
class file.
> h1. Steps to reproduce:
>  
>  
> Attempt to parse the attached file "Hello.class" using the API
> org.apache.bcel.classfile.ClassParser.parse(java.io.InputStream)
>  
> The file Hello.class was generated automatically by the fuzzer JQF ([https://github.com/rohanpadhye/jqf]).
> h2. Expected output:
> ClassFormatException should be thrown as the class file is malformed.
> h2. Observed output:
> Undocumented run-time exception is thrown:
> java.lang.NegativeArraySizeException
>  at org.apache.bcel.classfile.Code.<init>(Code.java:75)
>  at org.apache.bcel.classfile.Attribute.readAttribute(Attribute.java:220)
>  at org.apache.bcel.classfile.FieldOrMethod.<init>(FieldOrMethod.java:109)
>  at org.apache.bcel.classfile.Method.<init>(Method.java:82)
>  at org.apache.bcel.classfile.ClassParser.readMethods(ClassParser.java:294)
>  at org.apache.bcel.classfile.ClassParser.parse(ClassParser.java:153)
>  
>  
> This is probably because the length of the Code attribute in a method is read as a 4-byte
signed integer, an an array of that size is allocated without checking to see if the integer
is negative.
>  
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message