[jira] Updated: (XALANJ-2366) CLONE -ArrayIndexOutOfBoundsException from integer overflow in WriterToUTF8Buffered#write()

Mon, 12 Feb 2007 07:32:27 -0800 

     [ 
https://issues.apache.org/jira/browse/XALANJ-2366?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Martin Suter updated XALANJ-2366:
---------------------------------

        Fix Version/s:     (was: 2.7)
             Priority: Critical
          Description: 
if the length of the incoming string in the write method is greater than 
BYTES_MAX, the string will broken up in chunks...
and an ArrayIndexOutOfBoundsException will be thrown, because:

s.getChars(start_chunk,end_chunk,m_inputChars,0);
start_chunk = 0
end_chunk = 6643
m_inputchars = char[5463] (!)

the calculation of 'split' is wrong.. it must be:
int split = 1 + length / CHARS_MAX;

  was:
The rework to chunk buffers of data in the write(char [], int, int)
method can lead to an integer overflow in the computation of the end_chunk
then start_chunk variables. When the latter value becomes negative it
leads to an illegal array reference into the chars array. With the numbers
in play a data block of 4MB can lead to this situation.

    Affects Version/s:     (was: 2.6)
                       2.7

> CLONE -ArrayIndexOutOfBoundsException from integer overflow in 
> WriterToUTF8Buffered#write()
> -------------------------------------------------------------------------------------------
>
>                 Key: XALANJ-2366
>                 URL: https://issues.apache.org/jira/browse/XALANJ-2366
>             Project: XalanJ2
>          Issue Type: Bug
>          Components: Serialization
>    Affects Versions: 2.7
>         Environment: Operating System: All
> Platform: All
>            Reporter: Martin Suter
>         Assigned To: Xalan Developers Mailing List
>            Priority: Critical
>
> if the length of the incoming string in the write method is greater than 
> BYTES_MAX, the string will broken up in chunks...
> and an ArrayIndexOutOfBoundsException will be thrown, because:
> s.getChars(start_chunk,end_chunk,m_inputChars,0);
> start_chunk = 0
> end_chunk = 6643
> m_inputchars = char[5463] (!)
> the calculation of 'split' is wrong.. it must be:
> int split = 1 + length / CHARS_MAX;

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to