DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=36044>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=36044 Summary: Canonicalizing an empty node-set throws an ArrayIndexOutOfBoundsException Product: Security Version: Java 1.2.1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: Canonicalization AssignedTo: security-dev@xml.apache.org ReportedBy: [EMAIL PROTECTED] If your Signature dereferences an element with no children and then passes it to an XPath transform that results in an empty node-set, an ArrayIndexOutOfBoundsException will be thrown by org.apache.xml.security.c14n.implementations.CanonicalizerBase.canonicalizeXPathNodeSet [java] Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: -1 [java] at java.util.ArrayList.remove(ArrayList.java:393) [java] at org.apache.xml.security.c14n.implementations.NameSpaceSymbTable.pop(Unknown Source) [java] at org.apache.xml.security.c14n.implementations.CanonicalizerBase.canonicalizeXPathNodeSet(Unknown Source) [java] at org.apache.xml.security.c14n.implementations.CanonicalizerBase.engineCanonicalizeXPathNodeSetInternal(Unknown Source) [java] at org.apache.xml.security.c14n.implementations.CanonicalizerBase.engineCanonicalize(Unknown Source) [java] at org.apache.xml.security.signature.XMLSignatureInput.updateOutputStream(Unknown Source) [java] at org.apache.xml.security.signature.Reference.calculateDigest(Unknown Source) [java] at org.apache.xml.security.signature.Reference.generateDigestValue(Unknown Source) [java] at org.apache.xml.security.signature.Manifest.generateDigestValues(Unknown Source) [java] at org.apache.xml.security.signature.XMLSignature.sign(Unknown Source) [java] at org.apache.xml.security.samples.signature.CreateMerlinsExampleTwentyThree.main(Unknown Source) [java] Java Result: 1 I have slightly modified the CreateMerlinsExampleTwentyThree sample program to reproduce the problem. I will attach it. I have a fix but I would like Raul to check it before I commit it: $ diff -c CanonicalizerBase.java CanonicalizerBase.java.fixed *** CanonicalizerBase.java Fri Aug 5 10:56:37 2005 --- CanonicalizerBase.java.fixed Thu Aug 4 16:25:36 2005 *************** *** 482,488 **** } else { ns.pop(); } ! sibling= currentNode.getNextSibling(); } else { parentNode=currentElement; } --- 482,490 ---- } else { ns.pop(); } ! if (parentNode != null) { ! sibling= currentNode.getNextSibling(); ! } } else { parentNode=currentElement; } -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
