hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Oleg Kalnichevski (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HTTPCORE-441) Integer overflow in EntityUtils.toByteArray
Date Sat, 28 Jan 2017 09:57:25 GMT

     [ https://issues.apache.org/jira/browse/HTTPCORE-441?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Oleg Kalnichevski updated HTTPCORE-441:
    Priority: Minor  (was: Major)

> Integer overflow in EntityUtils.toByteArray
> -------------------------------------------
>                 Key: HTTPCORE-441
>                 URL: https://issues.apache.org/jira/browse/HTTPCORE-441
>             Project: HttpComponents HttpCore
>          Issue Type: Bug
>          Components: HttpCore
>    Affects Versions: 4.3.3, 4.4.4, 5.0-alpha1
>            Reporter: Steven Enns
>            Priority: Minor
> EntityUtils.toByteArray copies bytes from InputStream to byte[].  Bytes from the InputStream
are appended to a ByteArrayBuffer in chunks of 4KB.  When the buffer reaches capacity, ByteArrayBuffer::expand
is called to increase capacity by a factor of 2.  However, when the array size exceeds 1/2
of Integer.MAX_VALUE (about 1.07GB), the doubled size overflows.  The overflowed value is
less than the newlen that was requested, so the buffer grows by just 4KB to the exact size
that was requested.  A subsequent resize and copy is executed at every iteration of the loop
in ByteArrayBuffer::append, every remaining 4KB until the end of the InputStream.  Execution
times increase rapidly and may cause execution to hang indefinitely.
> See ByteArrayBuffer::expand for integer overflow:
>     private void expand(final int newlen) {
>         final byte newbuffer[] = new byte[Math.max(this.buffer.length << 1, newlen)];
>         System.arraycopy(this.buffer, 0, newbuffer, 0, this.len);
>         this.buffer = newbuffer;
>     }
> https://svn.apache.org/repos/asf/httpcomponents/httpcore/tags/4.4.6/httpcore/src/main/java/org/apache/http/util/ByteArrayBuffer.java
> https://svn.apache.org/repos/asf/httpcomponents/httpcore/tags/5.0-alpha2-RC2/httpcore5/src/main/java/org/apache/hc/core5/util/ByteArrayBuffer.java

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org

View raw message