db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Knut Anders Hatlen (JIRA)" <j...@apache.org>
Subject [jira] Updated: (DERBY-3739) Skip and read methods in ArrayInputStream may overflow
Date Thu, 03 Jul 2008 08:12:45 GMT

     [ https://issues.apache.org/jira/browse/DERBY-3739?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Knut Anders Hatlen updated DERBY-3739:
--------------------------------------

    Attachment: ReadOverflow.java
                d3739-read.diff

Here's a fix for read() and readFully(). I didn't add a test case, since it seems like the
overflow only causes wrong results if the sum of the length of the stream and the length of
the buffer we read into exceeds Integer.MAX_VALUE, *and* the current position is near the
end of the stream. Testing it requires a very big heap, in fact so big that we need a 64-bit
JVM. I have tested it manually with the attached ReadOverflow.java (which throws ArrayIndexOutOfBoundsException
without the fix and successfully reads 32K of data with the fix). Although the overflow is
unlikely to ever cause any problems, the fix is simple and doesn't add any extra complexity
or extra computation, so I think it would be good to fix it anyway.

> Skip and read methods in ArrayInputStream may overflow
> ------------------------------------------------------
>
>                 Key: DERBY-3739
>                 URL: https://issues.apache.org/jira/browse/DERBY-3739
>             Project: Derby
>          Issue Type: Bug
>          Components: Store
>    Affects Versions: 10.5.0.0
>            Reporter: Knut Anders Hatlen
>            Assignee: Knut Anders Hatlen
>            Priority: Minor
>         Attachments: d3739-read.diff, d3739-skip.diff, d3739-skip.stat, ReadOverflow.java
>
>
> If ArrayInputStream.skip() is called with a large value (like Long.MAX_VALUE) an internal
calculation may overflow and cause unexpected results.
> It's the line which says
>     if ((position + count) > end) {
> that can overflow. If count (a long) is so big that position + count doesn't fit in a
long, the condition will evaluate to false although it should have evaluated to true. Changing
the condition to (count > end - position) will fix the problem. Alternatively, we could
simplify the entire method body to:
>     count = Math.min(count, end - position);
>     position += count;
>     return count;

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message