[jira] [Work logged] (IO-429) ByteArrayOutputStream can overflow

ASF GitHub Bot (Jira) Wed, 16 Dec 2020 12:29:35 -0800


     [ 
https://issues.apache.org/jira/browse/IO-429?focusedWorklogId=525244&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-525244
 ]


ASF GitHub Bot logged work on IO-429:
-------------------------------------

                Author: ASF GitHub Bot
            Created on: 16/Dec/20 20:28
            Start Date: 16/Dec/20 20:28
    Worklog Time Spent: 10m 
      Work Description: leskin-in commented on pull request #175:
URL: https://github.com/apache/commons-io/pull/175#issuecomment-746962320


   @garydgregory thank you for your 
[comment](https://github.com/apache/commons-io/pull/175#issuecomment-745740037).
   
   I have 
[implemented](https://github.com/apache/commons-io/pull/175/commits/361765a7fecae0d419828f84de3b825fd77dfa50)
 a test using 
[`CircularInputStream`](https://github.com/apache/commons-io/blob/d4e09c7b4ba4a1433feb7e5d4895cd1071e51bb1/src/main/java/org/apache/commons/io/input/CircularInputStream.java);
 
[`IOUtils.copyLarge()`](https://github.com/apache/commons-io/blob/9e71df2a6d879e76f69ffcc2d956dfd5d42f0ba9/src/main/java/org/apache/commons/io/IOUtils.java#L1163)
 does not return if provided `InifiniteCircularInputStream` as input.
   
   Note the new test case requires lots of memory, so heap size limit is 
[increased](https://github.com/apache/commons-io/pull/175/commits/361765a7fecae0d419828f84de3b825fd77dfa50#diff-9c5fb3d1b7e3b0f54bc5c4182965c4fe1f9023d449017cece3005d3f90e8e4d8R387).
 I do not know whether this is appropriate. The chosen value is the lowest 
possible, which I obtained empirically on my laptop.
   
   [IO-161](https://issues.apache.org/jira/browse/IO-161) introduced heap size 
limit, and it has remained unchanged since then. But the reasons for this (and 
why `25M` was chosen) are not clear to me.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


Issue Time Tracking
-------------------

    Worklog Id:     (was: 525244)
    Time Spent: 40m  (was: 0.5h)

> ByteArrayOutputStream can overflow
> ----------------------------------
>
>                 Key: IO-429
>                 URL: https://issues.apache.org/jira/browse/IO-429
>             Project: Commons IO
>          Issue Type: Bug
>          Components: Utilities
>            Reporter: Fabian Lange
>            Priority: Major
>          Time Spent: 40m
>  Remaining Estimate: 0h
>
> There are many places involved in the problem, and a good fix might be 
> problematic performance wise.
> For example:
> IOUtils.toByteArray(InputStream input) invoked with a Stream which feeds more 
> than Integer.MAX_VALUE bytes will either crash with 
> NegativeArraySizeException or maybe worse overflow in such a way that it 
> returns fine (but only with partial data)
> The ByteArrayOutputStream will happily consume the full stream but "int 
> count" will overflow. At some point then toByteArray is invoked which will do 
> like new byte[count].
> maybe "needNewBuffer" can throw the IllegalArgumentException, as it gets  the 
> count and could check for the overflow.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Work logged] (IO-429) ByteArrayOutputStream can overflow

Reply via email to