[
https://issues.apache.org/jira/browse/DERBY-5126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13008478#comment-13008478
]
Kathey Marsden commented on DERBY-5126:
---------------------------------------
Whenever I come across a derby usage case that doesn't work, whether a derby or
jvm issue, I always try to add a regression test to make sure it doesn't
regress sometime in the future and also to provide Derby users hitting the
symptom (in this case a hang) a hit when they search. When I add the case I
will launch a separate thread so that the suite does not hang but will just
have a failing test and will exclude jvms for which is known not to be fixed
yet.
I think though perhaps I should change the title to be ResultSet.getDouble()
on a character column with some values like "2.225073858072012e-308" will hang
with JVM's that do not have the fix for CVE-2010-4476 and then close it invalid
after I add the test case.
> Add Derby test case for CVE-2010-4476 - Java Runtime Environment hangs when
> converting "2.2250738585072012e-308" to a binary floating-point number
> --------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: DERBY-5126
> URL: https://issues.apache.org/jira/browse/DERBY-5126
> Project: Derby
> Issue Type: Improvement
> Components: Test
> Reporter: Kathey Marsden
> Attachments: ReproCVE20104476.java
>
>
> There is a known serious JVM issue with both Sun and IBM JVM's that can
> cause a hang with the following code and perhaps other cases:
> public class ReproCVE20104476 {
> private static final String
> PROBLEM_NUMBER_STRING="2.2250738585072012e-308" ;
> public static void main(String[] args) throws Exception {
> Class.forName("org.apache.derby.jdbc.EmbeddedDriver");
> Connection conn =
> DriverManager.getConnection("jdbc:derby:wombat;create=true");
> // clean up from a previous run
> Statement s = conn.createStatement();
> try {
> s.executeUpdate("DROP TABLE T");
> } catch (SQLException se) {
> if (!se.getSQLState().equals("42Y55"))
> throw se;
> }
> s.executeUpdate("CREATE TABLE T (d1 VARCHAR(30))");
> PreparedStatement ps = conn.prepareStatement("INSERT INTO T VALUES
> (?)");
> ps.setString(1, PROBLEM_NUMBER_STRING);
> ps.executeUpdate();
> ResultSet rs = s.executeQuery("SELECT * from T");
> rs.next();
> double d = rs.getDouble(1);
> System.out.println("double value = " + d);
> }
> }
> The IBM announcement and fix is here:
> http://www.ibm.com/developerworks/java/jdk/alerts/cve-2010-4476.html
> There is a link from that page to the Oracle announcement.
> I am not sure yet if Mac or other JVM's are affected.
> I would like to check a regression test into trunk at some point soon, but
> this will require that all people running Derby tests upgrade their JVM's, so
> want to set a reasonable deadline. Does April 15 sound reasonable? Also are
> there any JVM's/platforms that should be excluded because there is not a fix
> available yet?
> Thanks
> Kathey
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
