db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Knut Anders Hatlen (JIRA)" <j...@apache.org>
Subject [jira] Updated: (DERBY-3898) Blob.setBytes differs between embedded and client driver when the specified length is invalid
Date Tue, 17 Aug 2010 09:07:19 GMT

     [ https://issues.apache.org/jira/browse/DERBY-3898?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Knut Anders Hatlen updated DERBY-3898:
--------------------------------------

    Attachment: overflow.diff

One small corner case: The patch checks whether (len + offset > bytes.length) is true to
detect if the sum of len and offset exceeds the length of the byte buffer. However, if the
sum of len and offset is greater than Integer.MAX_VALUE, (len + offset) will overflow and
return a negative result. Since a negative value will not be considered greater than bytes.length,
the check will fail to detect that the sum is too big.

Example that shows the bug:

    blob.setBytes(1, new byte[100], 10, Integer.MAX_VALUE);

The above statement will fail with an IndexOutOfBoundsException on the embedded driver. On
the client driver, no error is raised at all. The expected result is an SQLException.

I've attached a patch which fixes the problem by changing (len + offset > bytes.length)
to (len > bytes.length - offset). Since we know at this point in the code that both bytes.length
and offset are non-negative, we also know that (bytes.length - offset) cannot overflow. The
patch also adds a test case for the bug.

> Blob.setBytes differs between embedded and client driver when the specified length is
invalid
> ---------------------------------------------------------------------------------------------
>
>                 Key: DERBY-3898
>                 URL: https://issues.apache.org/jira/browse/DERBY-3898
>             Project: Derby
>          Issue Type: Bug
>          Components: JDBC
>    Affects Versions: 10.3.3.0, 10.4.2.0, 10.5.1.1, 10.6.1.0
>            Reporter: Kristian Waagan
>            Assignee: Yun Lee
>            Priority: Minor
>             Fix For: 10.7.0.0
>
>         Attachments: derby-3898-1.patch, derby-3898-1.stat, derby-3898-testcase.patch,
derby-3898-testcase.stat, Derby3898.java, overflow.diff
>
>
> Blob.setBytes behaves differently with the embedded driver and the client driver.
> Assume a 1 byte array and a specified length of 2: Blob.setBytes(1, new byte[] {0x69},
0, 2)
> Embedded: IndexOutOfBoundsException (from java.io.RandomAccessFile.writeBytes or System.arraycopy)
> Client: succeeds, returns insertion count 1
> The behavior should be made consistent, but what is the correct behavior?
> From the Blob.setBytes JavaDoc:
> "Writes all or part of the given byte array to the BLOB value that this Blob object represents
and returns the number of bytes written. Writing starts at position pos in the BLOB  value;
len bytes from the given byte array are written. The array of bytes will overwrite the existing
bytes in the Blob object starting at the position pos. If the end of the Blob value is reached
while writing the array of bytes, then the length of the Blob value will be increased to accomodate
the extra bytes."

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message