Steven Enns created HTTPCORE-441:
------------------------------------
Summary: Integer overflow in EntityUtils.toByteArray
Key: HTTPCORE-441
URL: https://issues.apache.org/jira/browse/HTTPCORE-441
Project: HttpComponents HttpCore
Issue Type: Bug
Components: HttpCore
Affects Versions: 5.0-alpha1, 4.4.4, 4.3.3
Reporter: Steven Enns
EntityUtils.toByteArray copies bytes from InputStream to byte[]. Bytes from
the InputStream are appended to a ByteArrayBuffer in chunks of 4KB. When the
buffer reaches capacity, ByteArrayBuffer::expand is called to increase capacity
by a factor of 2. However, when the array size exceeds 1/2 of
Integer.MAX_VALUE (about 1.07GB), the doubled size overflows. The overflowed
value is less than the newlen that was requested, so the buffer grows by just
4KB to the exact size that was requested. A subsequent resize and copy is
executed at every iteration of the loop in ByteArrayBuffer::append, every
remaining 4KB until the end of the InputStream. Execution times increase
rapidly and may cause execution to hang indefinitely.
See ByteArrayBuffer::expand for integer overflow:
private void expand(final int newlen) {
final byte newbuffer[] = new byte[Math.max(this.buffer.length << 1,
newlen)];
System.arraycopy(this.buffer, 0, newbuffer, 0, this.len);
this.buffer = newbuffer;
}
https://svn.apache.org/repos/asf/httpcomponents/httpcore/tags/4.4.6/httpcore/src/main/java/org/apache/http/util/ByteArrayBuffer.java
https://svn.apache.org/repos/asf/httpcomponents/httpcore/tags/5.0-alpha2-RC2/httpcore5/src/main/java/org/apache/hc/core5/util/ByteArrayBuffer.java
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
