[
https://issues.apache.org/jira/browse/BCEL-309?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17507714#comment-17507714
]
Mark Roberts commented on BCEL-309:
-----------------------------------
Fixed with https://github.com/apache/commons-bcel/pull/117
> NegativeArraySizeException when Code attribute length is negative
> -----------------------------------------------------------------
>
> Key: BCEL-309
> URL: https://issues.apache.org/jira/browse/BCEL-309
> Project: Commons BCEL
> Issue Type: Bug
> Components: Parser
> Affects Versions: 6.2
> Reporter: Rohan Padhye
> Priority: Major
> Attachments: Hello.class
>
>
> Class parser throws an undocumented NegativeArraySizeException when parsing a
> malformed class file.
> h1. Steps to reproduce:
>
>
> Attempt to parse the attached file "Hello.class" using the API
> org.apache.bcel.classfile.ClassParser.parse(java.io.InputStream)
>
> The file Hello.class was generated automatically by the fuzzer JQF
> ([https://github.com/rohanpadhye/jqf]).
> h2. Expected output:
> ClassFormatException should be thrown as the class file is malformed.
> h2. Observed output:
> Undocumented run-time exception is thrown:
> java.lang.NegativeArraySizeException
> at org.apache.bcel.classfile.Code.<init>(Code.java:75)
> at org.apache.bcel.classfile.Attribute.readAttribute(Attribute.java:220)
> at org.apache.bcel.classfile.FieldOrMethod.<init>(FieldOrMethod.java:109)
> at org.apache.bcel.classfile.Method.<init>(Method.java:82)
> at org.apache.bcel.classfile.ClassParser.readMethods(ClassParser.java:294)
> at org.apache.bcel.classfile.ClassParser.parse(ClassParser.java:153)
>
>
> This is probably because the length of the Code attribute in a method is read
> as a 4-byte signed integer, an an array of that size is allocated without
> checking to see if the integer is negative.
>
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
