db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Knut Anders Hatlen (JIRA)" <j...@apache.org>
Subject [jira] Updated: (DERBY-3739) Calls to ArrayInputStream.skip() may overflow and have unexpected results
Date Mon, 30 Jun 2008 10:15:45 GMT

     [ https://issues.apache.org/jira/browse/DERBY-3739?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Knut Anders Hatlen updated DERBY-3739:
--------------------------------------

    Attachment: d3739-skip.stat
                d3739-skip.diff

skip() also had a problem when the count argument was negative. According to the javadoc for
InputStream.skip(), the return value should be 0 in that case and no bytes should be skipped,
but ArrayInputStream's implementation would decrease the position pointer and return the negative
number. The attached patch fixes both the overflow and the problem with a negative argument.
skipBytes() has the same problems, so I made it forward calls to skip() in order to fix the
problem there as well.

I didn't find any way to trigger the bug from user code since none of the streams that are
returned to the users are built on top of ArrayInputStream, as far as I could see. Still,
I think it should follow the contract of InputStream so that it doesn't give us any unpleasant
surprises if we start using ArrayInputStream in other ways than we currently do. Since I couldn't
find a way to test this through JDBC or SQL, I created ArrayInputStreamTest which tests the
class directly.

I also noticed that read(byte[],int,int) and readFully(byte[],int,int) have similar issues.
Will fix those in a separate patch.

suites.All and derbyall ran cleanly with the patch.

> Calls to ArrayInputStream.skip() may overflow and have unexpected results
> -------------------------------------------------------------------------
>
>                 Key: DERBY-3739
>                 URL: https://issues.apache.org/jira/browse/DERBY-3739
>             Project: Derby
>          Issue Type: Bug
>          Components: Store
>    Affects Versions: 10.5.0.0
>            Reporter: Knut Anders Hatlen
>            Assignee: Knut Anders Hatlen
>            Priority: Minor
>         Attachments: d3739-skip.diff, d3739-skip.stat
>
>
> If ArrayInputStream.skip() is called with a large value (like Long.MAX_VALUE) an internal
calculation may overflow and cause unexpected results.
> It's the line which says
>     if ((position + count) > end) {
> that can overflow. If count (a long) is so big that position + count doesn't fit in a
long, the condition will evaluate to false although it should have evaluated to true. Changing
the condition to (count > end - position) will fix the problem. Alternatively, we could
simplify the entire method body to:
>     count = Math.min(count, end - position);
>     position += count;
>     return count;

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message