[
https://issues.apache.org/jira/browse/LANG-1826?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18081147#comment-18081147
]
Gary D. Gregory edited comment on LANG-1826 at 5/15/26 11:39 AM:
-----------------------------------------------------------------
Hello [~chenyl2024]
The methods {{StringUtils.repeat(String, [String,] int)}} now throw
{{IllegalArgumentException}} instead of {{NegativeArraySizeException}}
([#1644|https://github.com/apache/commons-lang/pull/1644]).
Please verify your use case with git master or a snapshot build from
https://repository.apache.org/content/repositories/snapshots/org/apache/commons/commons-lang3/3.21.0-SNAPSHOT/
TY!
was (Author: garydgregory):
Hello [~chenyl2024]
The methods {{StringUtils.repeat(String, [String,] int)}} now throws
{{IllegalArgumentException}} instead of {{NegativeArraySizeException}}
([#1644|https://github.com/apache/commons-lang/pull/1644]).
Please verify your use case with git master or a snapshot build from
https://repository.apache.org/content/repositories/snapshots/org/apache/commons/commons-lang3/3.21.0-SNAPSHOT/
TY!
> StringUtils.repeat(String, [String,] int) throws NegativeArraySizeException
> on a combo of large count or large input
> --------------------------------------------------------------------------------------------------------------------
>
> Key: LANG-1826
> URL: https://issues.apache.org/jira/browse/LANG-1826
> Project: Commons Lang
> Issue Type: Bug
> Reporter: Cyl
> Assignee: Gary D. Gregory
> Priority: Minor
> Fix For: 3.21.0
>
>
> h1. Issue: Unchecked integer overflow in public Commons Lang size APIs can
> trigger denial of service
> h2. Basic Information
> * *Project*: LANG
> * *Type*: Issue
> * *Severity*: Medium
> * *Affected Versions*: <= 3.20.0
> * *Fixed Version*: N/A
> h2. Description
> This issue affects public methods in Apache Commons Lang that derive
> allocation lengths directly from caller-controlled integers. A large positive
> {{count}} or {{capacity}} can wrap to a negative size and trigger
> {{NegativeArraySizeException}}, allowing downstream applications that pass
> attacker-controlled values into these APIs to fail requests or jobs with a
> low-effort denial of service.
> The affected methods are:
> * {{StringUtils.repeat(String, int)}}
> * {{StringUtils.repeat(String, String, int)}}
> * {{StrBuilder.ensureCapacity(int)}}
> These paths use unchecked {{int}} arithmetic before allocating arrays or
> builders.
> h2. Impact
> This is a denial of service issue in a widely used library dependency. Any
> application that passes untrusted size or count values into these APIs can be
> forced into runtime failure. In practice this can break request handlers,
> batch jobs, template generation, export tasks, or message-processing flows
> that rely on Commons Lang string repetition or buffer preallocation with
> attacker-controlled inputs.
> h2. Affected products
> * *Ecosystem*: maven
> * *Package name*: org.apache.commons:commons-lang3
> * *Affected versions*: <= 3.20.0
> h2. Severity
> * *Severity*: Medium
> * *Vector string*: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
> h2. Weaknesses
> * *CWE*: CWE-190: Integer Overflow or Wraparound
> h2. Occurrences
> * {{StringUtils.repeat(String, int)}} multiplies {{inputLength * count}} with
> unchecked {{int}} arithmetic and then uses the result for {{char[]}} or
> {{StringBuilder}} allocation.
> * {{StringUtils.repeat(String, String, int)}} preserves the same flaw by
> concatenating {{repeat + separator}} and delegating to the vulnerable
> {{repeat(String, int)}} path.
> * {{StrBuilder.ensureCapacity(int)}} allocates {{new char[capacity * 2]}}
> with unchecked multiplication, allowing a wrapped negative size to reach
> allocation.
> h2. Reproduction summary
> Supplying {{1_073_741_824}} to these APIs causes {{* 2}} to wrap to
> {{-2147483648}}, which then reaches allocation and raises
> {{NegativeArraySizeException}}. This is reachable without source
> modification, reflection, or internal access.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
