(commons-math) branch master updated: Fix int overflow in subarray bounds check in verifyValues and setData (#323)

Mon, 01 Jun 2026 07:59:32 -0700 

This is an automated email from the ASF dual-hosted git repository.

aherbert pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-math.git


The following commit(s) were added to refs/heads/master by this push:
     new 2e251dd1b Fix int overflow in subarray bounds check in verifyValues 
and setData (#323)
2e251dd1b is described below

commit 2e251dd1bb9d2f1043751941e0860d93fb8ad15f
Author: Javid Khan <[email protected]>
AuthorDate: Mon Jun 1 20:29:09 2026 +0530

    Fix int overflow in subarray bounds check in verifyValues and setData (#323)
    
    Widen exception value to long and add overflow tests.
---
 .../commons/math4/legacy/core/MathArrays.java      |  4 +-
 .../commons/math4/legacy/core/MathArraysTest.java  | 13 ++++++
 .../descriptive/AbstractUnivariateStatistic.java   |  4 +-
 .../AbstractUnivariateStatisticTest.java           | 52 ++++++++++++++++++++++
 4 files changed, 69 insertions(+), 4 deletions(-)

diff --git 
a/commons-math-legacy-core/src/main/java/org/apache/commons/math4/legacy/core/MathArrays.java
 
b/commons-math-legacy-core/src/main/java/org/apache/commons/math4/legacy/core/MathArrays.java
index 8d10992da..425d3292e 100644
--- 
a/commons-math-legacy-core/src/main/java/org/apache/commons/math4/legacy/core/MathArrays.java
+++ 
b/commons-math-legacy-core/src/main/java/org/apache/commons/math4/legacy/core/MathArrays.java
@@ -962,9 +962,9 @@ public final class MathArrays {
             throw new NotPositiveException(LocalizedFormats.LENGTH, 
Integer.valueOf(length));
         }
 
-        if (begin + length > values.length) {
+        if ((long) begin + length > values.length) {
             throw new 
NumberIsTooLargeException(LocalizedFormats.SUBARRAY_ENDS_AFTER_ARRAY_END,
-                    Integer.valueOf(begin + length), 
Integer.valueOf(values.length), true);
+                    Long.valueOf((long) begin + length), 
Integer.valueOf(values.length), true);
         }
 
         return !(length == 0 && !allowEmpty);
diff --git 
a/commons-math-legacy-core/src/test/java/org/apache/commons/math4/legacy/core/MathArraysTest.java
 
b/commons-math-legacy-core/src/test/java/org/apache/commons/math4/legacy/core/MathArraysTest.java
index d57dc068c..927e93f5c 100644
--- 
a/commons-math-legacy-core/src/test/java/org/apache/commons/math4/legacy/core/MathArraysTest.java
+++ 
b/commons-math-legacy-core/src/test/java/org/apache/commons/math4/legacy/core/MathArraysTest.java
@@ -30,6 +30,7 @@ import 
org.apache.commons.math4.legacy.exception.NonMonotonicSequenceException;
 import org.apache.commons.math4.legacy.exception.NotANumberException;
 import org.apache.commons.math4.legacy.exception.NotPositiveException;
 import org.apache.commons.math4.legacy.exception.NotStrictlyPositiveException;
+import org.apache.commons.math4.legacy.exception.NumberIsTooLargeException;
 import org.apache.commons.math4.legacy.exception.NullArgumentException;
 import org.apache.commons.math4.legacy.exception.NotFiniteNumberException;
 import org.apache.commons.math4.core.jdkmath.JdkMath;
@@ -630,6 +631,18 @@ public class MathArraysTest {
         Assert.assertTrue(MathArrays.verifyValues(singletonArray, 0, 0, true));
     }
 
+    @Test
+    public void testVerifyValuesOverflow() {
+        // begin + length overflows int; the check must not be bypassed and the
+        // reported end position must be the true (long) value, not the 
wrapped int.
+        try {
+            MathArrays.verifyValues(testArray, 1, Integer.MAX_VALUE);
+            Assert.fail("Expecting NumberIsTooLargeException");
+        } catch (NumberIsTooLargeException ex) {
+            Assert.assertEquals(1L + Integer.MAX_VALUE, 
ex.getArgument().longValue());
+        }
+    }
+
     @Test
     public void testVerifyValuesNegative() {
         final double[] nullArray = null;
diff --git 
a/commons-math-legacy/src/main/java/org/apache/commons/math4/legacy/stat/descriptive/AbstractUnivariateStatistic.java
 
b/commons-math-legacy/src/main/java/org/apache/commons/math4/legacy/stat/descriptive/AbstractUnivariateStatistic.java
index 41618fdf9..03a1766f7 100644
--- 
a/commons-math-legacy/src/main/java/org/apache/commons/math4/legacy/stat/descriptive/AbstractUnivariateStatistic.java
+++ 
b/commons-math-legacy/src/main/java/org/apache/commons/math4/legacy/stat/descriptive/AbstractUnivariateStatistic.java
@@ -109,9 +109,9 @@ public abstract class AbstractUnivariateStatistic
             throw new NotPositiveException(LocalizedFormats.LENGTH, length);
         }
 
-        if (begin + length > values.length) {
+        if ((long) begin + length > values.length) {
             throw new 
NumberIsTooLargeException(LocalizedFormats.SUBARRAY_ENDS_AFTER_ARRAY_END,
-                                                begin + length, values.length, 
true);
+                                                (long) begin + length, 
values.length, true);
         }
         storedData = new double[length];
         System.arraycopy(values, begin, storedData, 0, length);
diff --git 
a/commons-math-legacy/src/test/java/org/apache/commons/math4/legacy/stat/descriptive/AbstractUnivariateStatisticTest.java
 
b/commons-math-legacy/src/test/java/org/apache/commons/math4/legacy/stat/descriptive/AbstractUnivariateStatisticTest.java
new file mode 100644
index 000000000..be9511eda
--- /dev/null
+++ 
b/commons-math-legacy/src/test/java/org/apache/commons/math4/legacy/stat/descriptive/AbstractUnivariateStatisticTest.java
@@ -0,0 +1,52 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.commons.math4.legacy.stat.descriptive;
+
+import org.apache.commons.math4.legacy.exception.NumberIsTooLargeException;
+import org.junit.Assert;
+import org.junit.Test;
+
+/**
+ * Test cases for {@link AbstractUnivariateStatistic}.
+ */
+public class AbstractUnivariateStatisticTest {
+
+    /** Minimal concrete implementation for exercising the base class. */
+    private static final class Stat extends AbstractUnivariateStatistic {
+        @Override
+        public double evaluate(double[] values, int begin, int length) {
+            return 0;
+        }
+
+        @Override
+        public UnivariateStatistic copy() {
+            return new Stat();
+        }
+    }
+
+    @Test
+    public void testSetDataOverflow() {
+        // begin + length overflows int; the check must not be bypassed and the
+        // reported end position must be the true (long) value, not the 
wrapped int.
+        try {
+            new Stat().setData(new double[10], 1, Integer.MAX_VALUE);
+            Assert.fail("Expecting NumberIsTooLargeException");
+        } catch (NumberIsTooLargeException ex) {
+            Assert.assertEquals(1L + Integer.MAX_VALUE, 
ex.getArgument().longValue());
+        }
+    }
+}

Reply via email to