tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 46354] LIMIT_BUFFER setting causes arraycopy errors
Date Sun, 04 Jan 2009 00:14:27 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=46354





--- Comment #4 from Konstantin Kolinko <knst.kolinko@gmail.com>  2009-01-03 16:14:26
PST ---
This is caused by bug in implementation of
o.a.jasper.runtime.BodyContentImpl#setWriter(Writer)
in current tc6.0.x and tc5.5.x code (and thus in TC 6.0.18, TC 5.5.27).

That method is called by PageContextImpl#pushBody(Writer) and is the one that
prepares the bodycontent instance for reuse.

The current code, with comments omitted, is the following:

558:    void setWriter(Writer writer) {
559:        this.writer = writer;
560:        closed = false;
561:        if (writer != null) {
571:            if (bufferSize != 0) {
572:                bufferSizeSave = bufferSize;
573:                bufferSize = 0;
574:            }
575:        } else {
576:            bufferSize = bufferSizeSave;
577:            clearBody();
578:        }
579:    }

The unconditional assignment on line 576 is wrong.

Consider the following sequence of events:
1. setWriter(null)
   bufferSize = bufferSizeSave  is assigned 0 // <- this is wrong (1)
2. write more than 512 bytes of data
   bufferSize becomes > 512

3. setWriter(writer)
   bufferSizeSave = bufferSize  is assigned value that is > 512

4. setWriter(null)
   bufferSize = bufferSizeSave  is > 512
   BodyContentImpl#clear() is called and shrinks the buffer to its default size
of 512, bufferSize becomes 512
5. write several bytes of data

6. setWriter(null)
   bufferSize = bufferSizeSave  is > 512  // <- this is wrong (2)
7. write more than 512 bytes of data

At this point the ArrayIndexOutOfBoundsException should occur, because
bufferSize is > 512, but the buffer is only 512 bytes.


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message