Seems to me that such ranges are application specific and therefore your problem, not the JVMs. You're describing a bug in your code, due to failure to validate, not a bug in the JVM which behaves exactly (and quite possibly provably) according to its specification.
--- Andrew van der Stock <[EMAIL PROTECTED]> wrote: > I'm not talking arbitrary code execution, I'm talking about odd code > > paths, bizarre outcomes, and DoS. > > For example (found via 19 Sins, Viega, Howard and LeBlanc): > http://seclists.org/lists/bugtraq/2004/Nov/0097.html > > I know Michael reads webappsec, he may have more examples. > > In my own code testing, I look for silly behaviors if a user can > insert a large or negative number. You'd be surprised how often it > occurs. There is no excuse not to include basic range checks when > performing data validation. > > thanks, > Andrew > > On 29/03/2006, at 2:30 PM, [EMAIL PROTECTED] wrote: > > > No you dont. > > > > Arrays are all bounds checked; ..., that is, the following code > will > > throw an exception: > > > > ================================ > > class Foo { > > static { > > int[] m = new int[2]; > > System.out.println(m[34]); > > } > > } > > ================================ > > > > > > What do you mean by "overflow"? Do you mean this? > > > > ================================ > > class Foo { > > static { > > int m = Integer.MAX_VALUE; > > int k = Integer.MAX_VALUE + Integer.MAX_VALUE; > > System.out.println(m); > > System.out.println(k); > > System.exit(0); > > } > > } > > ================================ > > > > if so, I don't see how that is an issue. > > > > -- Michael > > > > > > > > On 3/29/06, Andrew van der Stock <[EMAIL PROTECTED]> wrote: > >> This is not quite true. > >> > >> Java does not prevent integer overflows (it will not throw an > >> exception). So you still have to be careful about array indexes. > >> > >> Andrew > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ "You can tell whether a man is clever by his answers. You can tell whether a man is wise by his questions." Naguib Mahfouz __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
