From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugs-return-163014-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org>
Received: (qmail 3948 invoked by alias); 20 Oct 2005 19:48:25 -0000
Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Archive: <http://gcc.gnu.org/ml/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-help@gcc.gnu.org>
Sender: gcc-bugs-owner@gcc.gnu.org
Received: (qmail 3798 invoked by uid 48); 20 Oct 2005 19:48:22 -0000
Date: Thu, 20 Oct 2005 19:48:00 -0000
Subject: [Bug java/24461]  New: array access in either GZIPInputStream, Inflater, natInflate.cc, or zlib
X-Bugzilla-Reason: CC
Message-ID: <bug-24461-11561@http.gcc.gnu.org/bugzilla/>
Reply-To: gcc-bugzilla@gcc.gnu.org
To: gcc-bugs@gcc.gnu.org
From: "jrandom-gcc at i2p dot net" <gcc-bugzilla@gcc.gnu.org>
X-SW-Source: 2005-10/txt/msg02712.txt.bz2
List-Id: <gcc-bugs.sourceware.org>

I hate posting bug reports without test cases, but this one
is a bit beyond me - hopefully someone else will know whats up.

Symptom:
java.lang.ArrayIndexOutOfBoundsException
   at java.lang.System.arraycopy(java.lang.Object, int, java.lang.Object, int,
int) (/usr/local/gcc-4.0.2/lib/libgcj.so.6.0.0)
   at java.util.zip.GZIPInputStream.read(byte[], int, int)
(/usr/local/gcc-4.0.2/lib/libgcj.so.6.0.0)
   at java.io.FilterInputStream.read(byte[])
(/usr/local/gcc-4.0.2/lib/libgcj.so.6.0.0)
   at net.i2p.i2ptunnel.HTTPResponseOutputStream$Pusher.run()
(/home/jrandom/dev/i2p/build/libi2p.so)
   at java.lang.Thread.run() (/usr/local/gcc-4.0.2/lib/libgcj.so.6.0.0)

This occurs on EOF, the buffer passed in to GZIPInputStream is 8KB,
and the length and offset fields are fine too (set by
FilterInputStream as '0, buf.length').  The problem is, I believe,
in the inf.getRemaining() and/or the fixed size buffer in
GZIPInputStream:

  byte[] tmp = new byte[8];
  // First copy remaining bytes from inflater input buffer.
  int avail = inf.getRemaining();
  System.arraycopy(this.buf, this.len - avail, tmp, 0, avail);

I have no idea why tmp is 8 bytes long, probably something I don't
understand about zlib.  inf.getRemaining() just returns
'z_streamp->avail_in', and from what I can see, that can either be
set explicitly, via inflater.setInput(buf[], off, len), or
implicitly, within zlib's inflate(z_streamp, Z_SYNC_FLUSH).

My very cursory look into inflate(...) leads me nowhere, but
InflaterInputStream.java seems to be allowing arbitrarily large
setInput(buf, 0, buf.length) calls - e.g. line 157.  The default
buf.length is 4KB.

Or, maybe is there something in the zlib format such that it will
never have more than 8 bytes uninflated?

FWIW, I'm on the latest zlib (1.2.3) and gcj 4.0.2 (and I haven't
seen any updates on the related classes in gcj's cvsweb)

=jr


-- 
           Summary: array access in either GZIPInputStream, Inflater,
                    natInflate.cc, or zlib
           Product: gcc
           Version: 4.0.2
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: java
        AssignedTo: unassigned at gcc dot gnu dot org
        ReportedBy: jrandom-gcc at i2p dot net


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24461