inponomarev opened a new pull request, #1585: URL: https://github.com/apache/commons-lang/pull/1585
## Problem `rrayUtils.subarray(..)` is documented to return an empty array when `endIndexExclusive < startIndexInclusive.` For extreme combinations of indices, the current implementation may violate this contract due to subtraction overflow in the computation of: ```java final int newSize = endIndexExclusive - startIndexInclusive; ``` Although `startIndexInclusive` is clamped to `>= 0`, `endIndexExclusive` was previously only clamped to `<= array.length` and could remain negative. The subtraction could therefore overflow to a positive value, causing the method to attempt allocation and/or copying instead of returning an empty array. Depending on the overflowed value and heap size, this resulted in: * `ArrayIndexOutOfBoundsException` (small positive overflow), or * `OutOfMemoryError` (large positive overflow) Both outcomes contradict the documented behavior. ## Changes For all ArrayUtils.subarray(..) overloads, endIndexExclusive is now clamped symmetrically to the valid range before computing the size: ```java endIndexExclusive = max0(Math.min(endIndexExclusive, array.length)); ``` This guarantees: * `endIndexExclusive` is always in `[0 .. array.length]` * `endIndexExclusive - startIndexInclusive` cannot overflow Cases where `endIndexExclusive < startIndexInclusive` consistently return an empty array ## Tests Added regression tests for all subarray overloads covering extreme index combinations that previously triggered integer overflow and resulted in `ArrayIndexOutOfBoundsException`. - [x] Read the [contribution guidelines](CONTRIBUTING.md) for this project. - [x] Read the [ASF Generative Tooling Guidance](https://www.apache.org/legal/generative-tooling.html) if you use Artificial Intelligence (AI). - [ ] I used AI to create any part of, or all of, this pull request. Which AI tool was used to create this pull request, and to what extent did it contribute? - [ ] Run a successful build using the default [Maven](https://maven.apache.org/) goal with `mvn`; that's `mvn` on the command line by itself. - [x] Write unit tests that match behavioral changes, where the tests fail if the changes to the runtime are not applied. This may not always be possible, but it is a best practice. - [x] Write a pull request description that is detailed enough to understand what the pull request does, how, and why. - [ ] Each commit in the pull request should have a meaningful subject line and body. Note that a maintainer may squash commits during the merge process. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
