db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kathey Marsden (Resolved) (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (DERBY-5126) ResultSet.getDouble() on a character or varchar column with some values will hang on JVM's impacted by CVE-2010-4476 - Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number
Date Thu, 16 Feb 2012 00:49:00 GMT

     [ https://issues.apache.org/jira/browse/DERBY-5126?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Kathey Marsden resolved DERBY-5126.
-----------------------------------

    Resolution: Invalid

Closing Invalid as this was a JVM issue
                
> ResultSet.getDouble() on a character or varchar column with some values  will hang  on
JVM's  impacted by CVE-2010-4476 - Java Runtime Environment hangs when converting "2.2250738585072012e-308"
to a binary floating-point number
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: DERBY-5126
>                 URL: https://issues.apache.org/jira/browse/DERBY-5126
>             Project: Derby
>          Issue Type: Bug
>          Components: Test
>            Reporter: Kathey Marsden
>         Attachments: ReproCVE20104476.java
>
>
> There is a known serious JVM issue with  both Sun and IBM JVM's that can cause a hang
with the following code and perhaps other cases:
> public class ReproCVE20104476 {
>     private static final String PROBLEM_NUMBER_STRING="2.2250738585072012e-308" ;
>     public static void main(String[] args) throws Exception  {
> 	    Class.forName("org.apache.derby.jdbc.EmbeddedDriver");
> 	    Connection conn = DriverManager.getConnection("jdbc:derby:wombat;create=true");
> 	    // clean up from a previous run
> 	    Statement s = conn.createStatement();
> 	    try {
> 		s.executeUpdate("DROP TABLE T");
> 	    } catch (SQLException se) {
> 		if (!se.getSQLState().equals("42Y55"))
> 		    throw se;
> 	    }
> 	    s.executeUpdate("CREATE TABLE T (d1 VARCHAR(30))");
> 	    PreparedStatement ps = conn.prepareStatement("INSERT INTO T VALUES (?)");
> 	    ps.setString(1, PROBLEM_NUMBER_STRING);
> 	    ps.executeUpdate();
> 	    ResultSet rs = s.executeQuery("SELECT * from T");
> 	    rs.next();
> 	    double d = rs.getDouble(1);
> 	    System.out.println("double value = " + d);
>     }
> }
> The IBM announcement and fix is here:
> http://www.ibm.com/developerworks/java/jdk/alerts/cve-2010-4476.html
> There is  a link from that page to the Oracle announcement.
> I am not sure yet if Mac or other JVM's are affected.
> I would like to check a regression test into trunk  at some point soon, but this will
require that all people running Derby tests upgrade their JVM's, so want to set a reasonable
deadline.  Does April 15 sound reasonable?  Also are there any JVM's/platforms  that should
be excluded because there is not a fix available yet?
> Thanks
> Kathey

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message