Duncan Jones created LANG-1296:
----------------------------------
Summary: ArrayUtils.addAll() has unsafe use of varargs
Key: LANG-1296
URL: https://issues.apache.org/jira/browse/LANG-1296
Project: Commons Lang
Issue Type: Bug
Components: lang.*
Affects Versions: 3.5
Reporter: Duncan Jones
Priority: Critical
{{ArrayUtils.addAll()}} is marked as {{@SafeVarargs}}, but I suspect the use of
the varargs is unsafe.
An example, drawn heavily from [this StackOverflow
answer|http://stackoverflow.com/a/14252221/474189], demonstrates this:
{code:java}
static <T> T[] arrayOfTwo(T a, T b) {
return ArrayUtils.addAll(null, a, b);
}
@Test
public void testBadVarArgs() throws Exception {
@SuppressWarnings("unused") // Need to assign to trigger exception
String[] result = arrayOfTwo("foo", "bar");
}
{code}
the above code throws an exception: {{java.lang.ClassCastException:
[Ljava.lang.Object; cannot be cast to [Ljava.lang.String;}}.
Here, the {{null}} input array causes the method to return a clone of the
vararg array. This is what triggers the problem.
I faced a similar issue when adding the {{ArrayUtils.insert(...)}} methods and
I solved it by returning {{null}} if the input array is {{null}}. We can't do
this here without breaking behaviour.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
