[jira] Created: (DERBY-5126) Add Derby test case for CVE-2010-4476 - Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number

Fri, 11 Mar 2011 11:14:25 -0800 

Add Derby test case for CVE-2010-4476 - Java Runtime Environment hangs when 
converting "2.2250738585072012e-308" to a binary floating-point number
--------------------------------------------------------------------------------------------------------------------------------------------------

                 Key: DERBY-5126
                 URL: https://issues.apache.org/jira/browse/DERBY-5126
             Project: Derby
          Issue Type: Improvement
          Components: Test
            Reporter: Kathey Marsden


There is a known serious JVM issue with  both Sun and IBM JVM's that can cause 
a hang with the following code and perhaps other cases:
public class ReproCVE20104476 {

    private static final String PROBLEM_NUMBER_STRING="2.2250738585072012e-308" 
;

    public static void main(String[] args) throws Exception  {
            Class.forName("org.apache.derby.jdbc.EmbeddedDriver");
            Connection conn = 
DriverManager.getConnection("jdbc:derby:wombat;create=true");
            // clean up from a previous run
            Statement s = conn.createStatement();
            try {
                s.executeUpdate("DROP TABLE T");
            } catch (SQLException se) {
                if (!se.getSQLState().equals("42Y55"))
                    throw se;
            }
            s.executeUpdate("CREATE TABLE T (d1 VARCHAR(30))");
            PreparedStatement ps = conn.prepareStatement("INSERT INTO T VALUES 
(?)");
            ps.setString(1, PROBLEM_NUMBER_STRING);
            ps.executeUpdate();
            ResultSet rs = s.executeQuery("SELECT * from T");
            rs.next();
            double d = rs.getDouble(1);
            System.out.println("double value = " + d);
    }

}

The IBM announcement and fix is here:
http://www.ibm.com/developerworks/java/jdk/alerts/cve-2010-4476.html

There is  a link from that page to the Oracle announcement.

I am not sure yet if Mac or other JVM's are affected.

I would like to check a regression test into trunk  at some point soon, but 
this will require that all people running Derby tests upgrade their JVM's, so 
want to set a reasonable deadline.  Does April 15 sound reasonable?  Also are 
there any JVM's/platforms  that should be excluded because there is not a fix 
available yet?


Thanks

Kathey

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to