Bug in ServletInputStream.readLine

Mon, 1 Mar 1999 07:14:03 -0500 

Hi,

you may want to take note of the following bug in the
javax.servlet.ServletInputStream class:

[begin orginal code form Servlet SDK 2.0]
    /**
     * Starting at the specified offset, reads into the given array of
     * bytes until all requested bytes have been read or a '\n' is
     * encountered, in which case the '\n' is read into the array as well.
     * @param b the buffer into which the data is read
     * @param off the start offset of the data
     * @param len the maximum number of bytes to read
     * @return the actual number of bytes read, or -1 if the end of the
     *         stream is reached
     * @exception IOException if an I/O error has occurred
     */
    public int readLine(byte[] b, int off, int len) throws IOException {
        if (len <= 0) {
            return 0;
        }
        int count = 0, c;
        while ((c = read()) != -1) {
            b[off++] = (byte)c;
            count++;
            if (c == '\n') {
                break;
            }
        }
        return count > 0 ? count : -1;
    }
}
[end orginal code form Servlet SDK 2.0]

As you can see in the code above, the parameter len is only checked for being
negative (and no read will occur) and never anywhere else. Now if you read a
binary file and provide not too big a buffer (as in my case) it's very likely
that you run into an array-out-of-bounds exception because there was no newline
char anywhere in the input stream, e. g. you provide a 100 byte buffer and
request 100 bytes, if there's no newline withing the next 100 bytes on the input
stream then you crash.

You can fix this by using the code below (full file attached):

[begin excerpt dk fix]
    public int readLine(byte[] b, int off, int len) throws IOException {
        if (len <= 0) {
            return 0;
        }
        int count = 0, c;
        while ((c = read()) != -1) {
            b[off++] = (byte)c;
            count++;

            // begin dk fix
            if( count >= len ) {
                break;
            }
            // end dk fix

            if (c == '\n') {
                break;
            }
        }
        return count > 0 ? count : -1;
    }
[end excerpt dk fix]

Using the code attached below, my file uploads now work fine ;-)

Cheers,

++dk

--
David Kamber
Senior Consultant                       Phone:   +41  1 308 5111
World Wide Professional Services        Direct:  +41  1 308 5143
Netscape Communications                 Mobile:  +41 79 422 4445
Thurgauerstrasse 66                     Fax:     +41  1 308 5100
CH - 8050 Zurich                        <mailto:[EMAIL PROTECTED]>
       -- exoriare aliquis nostris ex ossibus ultor! --

ServletInputStream.java

S/MIME Cryptographic Signature

Reply via email to