hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steven Enns (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HTTPCORE-441) Integer overflow in EntityUtils.toByteArray
Date Wed, 11 Jan 2017 22:39:16 GMT
Steven Enns created HTTPCORE-441:

             Summary: Integer overflow in EntityUtils.toByteArray
                 Key: HTTPCORE-441
                 URL: https://issues.apache.org/jira/browse/HTTPCORE-441
             Project: HttpComponents HttpCore
          Issue Type: Bug
          Components: HttpCore
    Affects Versions: 5.0-alpha1, 4.4.4, 4.3.3
            Reporter: Steven Enns

EntityUtils.toByteArray copies bytes from InputStream to byte[].  Bytes from the InputStream
are appended to a ByteArrayBuffer in chunks of 4KB.  When the buffer reaches capacity, ByteArrayBuffer::expand
is called to increase capacity by a factor of 2.  However, when the array size exceeds 1/2
of Integer.MAX_VALUE (about 1.07GB), the doubled size overflows.  The overflowed value is
less than the newlen that was requested, so the buffer grows by just 4KB to the exact size
that was requested.  A subsequent resize and copy is executed at every iteration of the loop
in ByteArrayBuffer::append, every remaining 4KB until the end of the InputStream.  Execution
times increase rapidly and may cause execution to hang indefinitely.

See ByteArrayBuffer::expand for integer overflow:

    private void expand(final int newlen) {
        final byte newbuffer[] = new byte[Math.max(this.buffer.length << 1, newlen)];
        System.arraycopy(this.buffer, 0, newbuffer, 0, this.len);
        this.buffer = newbuffer;


This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org

View raw message