hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Oleg Kalnichevski (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HTTPCORE-441) Integer overflow in EntityUtils.toByteArray
Date Thu, 26 Jan 2017 19:39:24 GMT

    [ https://issues.apache.org/jira/browse/HTTPCORE-441?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15840292#comment-15840292
] 

Oleg Kalnichevski commented on HTTPCORE-441:
--------------------------------------------

Steven
What is it exactly you propose we should do about it? Full disclaimer: in my opinion anyone
using {{EntityUtils#oByteArray}} for anything other than a quick hack is _insane_.

Oleg

> Integer overflow in EntityUtils.toByteArray
> -------------------------------------------
>
>                 Key: HTTPCORE-441
>                 URL: https://issues.apache.org/jira/browse/HTTPCORE-441
>             Project: HttpComponents HttpCore
>          Issue Type: Bug
>          Components: HttpCore
>    Affects Versions: 4.3.3, 4.4.4, 5.0-alpha1
>            Reporter: Steven Enns
>
> EntityUtils.toByteArray copies bytes from InputStream to byte[].  Bytes from the InputStream
are appended to a ByteArrayBuffer in chunks of 4KB.  When the buffer reaches capacity, ByteArrayBuffer::expand
is called to increase capacity by a factor of 2.  However, when the array size exceeds 1/2
of Integer.MAX_VALUE (about 1.07GB), the doubled size overflows.  The overflowed value is
less than the newlen that was requested, so the buffer grows by just 4KB to the exact size
that was requested.  A subsequent resize and copy is executed at every iteration of the loop
in ByteArrayBuffer::append, every remaining 4KB until the end of the InputStream.  Execution
times increase rapidly and may cause execution to hang indefinitely.
> See ByteArrayBuffer::expand for integer overflow:
>     private void expand(final int newlen) {
>         final byte newbuffer[] = new byte[Math.max(this.buffer.length << 1, newlen)];
>         System.arraycopy(this.buffer, 0, newbuffer, 0, this.len);
>         this.buffer = newbuffer;
>     }
> https://svn.apache.org/repos/asf/httpcomponents/httpcore/tags/4.4.6/httpcore/src/main/java/org/apache/http/util/ByteArrayBuffer.java
> https://svn.apache.org/repos/asf/httpcomponents/httpcore/tags/5.0-alpha2-RC2/httpcore5/src/main/java/org/apache/hc/core5/util/ByteArrayBuffer.java



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message