[
https://issues.apache.org/jira/browse/DERBY-3898?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Knut Anders Hatlen updated DERBY-3898:
--------------------------------------
Attachment: overflow.diff
One small corner case: The patch checks whether (len + offset > bytes.length)
is true to detect if the sum of len and offset exceeds the length of the byte
buffer. However, if the sum of len and offset is greater than
Integer.MAX_VALUE, (len + offset) will overflow and return a negative result.
Since a negative value will not be considered greater than bytes.length, the
check will fail to detect that the sum is too big.
Example that shows the bug:
blob.setBytes(1, new byte[100], 10, Integer.MAX_VALUE);
The above statement will fail with an IndexOutOfBoundsException on the embedded
driver. On the client driver, no error is raised at all. The expected result is
an SQLException.
I've attached a patch which fixes the problem by changing (len + offset >
bytes.length) to (len > bytes.length - offset). Since we know at this point in
the code that both bytes.length and offset are non-negative, we also know that
(bytes.length - offset) cannot overflow. The patch also adds a test case for
the bug.
> Blob.setBytes differs between embedded and client driver when the specified
> length is invalid
> ---------------------------------------------------------------------------------------------
>
> Key: DERBY-3898
> URL: https://issues.apache.org/jira/browse/DERBY-3898
> Project: Derby
> Issue Type: Bug
> Components: JDBC
> Affects Versions: 10.3.3.0, 10.4.2.0, 10.5.1.1, 10.6.1.0
> Reporter: Kristian Waagan
> Assignee: Yun Lee
> Priority: Minor
> Fix For: 10.7.0.0
>
> Attachments: derby-3898-1.patch, derby-3898-1.stat,
> derby-3898-testcase.patch, derby-3898-testcase.stat, Derby3898.java,
> overflow.diff
>
>
> Blob.setBytes behaves differently with the embedded driver and the client
> driver.
> Assume a 1 byte array and a specified length of 2: Blob.setBytes(1, new
> byte[] {0x69}, 0, 2)
> Embedded: IndexOutOfBoundsException (from java.io.RandomAccessFile.writeBytes
> or System.arraycopy)
> Client: succeeds, returns insertion count 1
> The behavior should be made consistent, but what is the correct behavior?
> From the Blob.setBytes JavaDoc:
> "Writes all or part of the given byte array to the BLOB value that this Blob
> object represents and returns the number of bytes written. Writing starts at
> position pos in the BLOB value; len bytes from the given byte array are
> written. The array of bytes will overwrite the existing bytes in the Blob
> object starting at the position pos. If the end of the Blob value is reached
> while writing the array of bytes, then the length of the Blob value will be
> increased to accomodate the extra bytes."
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
