public inbox for java-prs@sourceware.org help / color / mirror / Atom feed
From: "jrandom-gcc at i2p dot net" <gcc-bugzilla@gcc.gnu.org> To: java-prs@gcc.gnu.org Subject: [Bug libgcj/24461] array access in either GZIPInputStream, Inflater, natInflate.cc, or zlib Date: Sat, 22 Oct 2005 11:57:00 -0000 [thread overview] Message-ID: <20051022115745.30047.qmail@sourceware.org> (raw) In-Reply-To: <bug-24461-11561@http.gcc.gnu.org/bugzilla/> ------- Comment #1 from jrandom-gcc at i2p dot net 2005-10-22 11:57 ------- Found the cause & can reproduce it. The bug can be reproduced by dealing with a truncated gzip stream, as shown below. The fix, I believe, would have GZIPInputStream using inf.getRemaining() to determine the tmp[] buffer size, instead of the fixed 8 bytes. Note that classpath does not have the same GZIPInputStream.read(byte[],int,int), and this bug hasn't been tested on a JVM using classpath, so it may be gcj-specific. jrandom@betty /tmp/b $ gcj -o bug --main=gunzipbug gunzipbug.java jrandom@betty /tmp/b $ ./bug java.lang.ArrayIndexOutOfBoundsException at java.lang.System.arraycopy(java.lang.Object, int, java.lang.Object, int, int) (/usr/local/gcc-4.0.2/lib/libgcj.so.6.0.0) at java.util.zip.GZIPInputStream.read(byte[], int, int) (/usr/local/gcc-4.0.2/lib/libgcj.so.6.0.0) at gunzipbug.main(java.lang.String[]) (Unknown Source) at gnu.java.lang.MainThread.call_main() (/usr/local/gcc-4.0.2/lib/libgcj.so.6.0.0) at gnu.java.lang.MainThread.run() (/usr/local/gcc-4.0.2/lib/libgcj.so.6.0.0) jrandom@betty /tmp/b $ javac gunzipbug.java jrandom@betty /tmp/b $ java -cp . gunzipbug java.io.EOFException: Unexpected end of ZLIB input stream at java.util.zip.InflaterInputStream.fill(InflaterInputStream.java:215) at java.util.zip.InflaterInputStream.read(InflaterInputStream.java:134) at java.util.zip.GZIPInputStream.read(GZIPInputStream.java:87) at gunzipbug.main(gunzipbug.java:19) jrandom@betty /tmp/b $ cat gunzipbug.java import java.util.Random; import java.util.zip.*; import java.io.*; public class gunzipbug { public static void main(String args[]) { try { ByteArrayOutputStream full = new ByteArrayOutputStream(1024); GZIPOutputStream gzout = new GZIPOutputStream(full); byte buf[] = new byte[1024]; new Random().nextBytes(buf); gzout.write(buf); gzout.close(); byte gzdata[] = full.toByteArray(); // now only read the first 128 bytes of that data ByteArrayInputStream truncated = new ByteArrayInputStream(gzdata, 0, 128); GZIPInputStream gzin = new GZIPInputStream(truncated); byte read[] = new byte[1024]; int cur = 0; while ( (cur = gzin.read(read, cur, read.length-cur)) != -1) ; //noop } catch (Exception e) { e.printStackTrace(); } } } -- http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24461
next prev parent reply other threads:[~2005-10-22 11:57 UTC|newest] Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top 2005-10-20 19:48 [Bug java/24461] New: " jrandom-gcc at i2p dot net 2005-10-22 11:57 ` jrandom-gcc at i2p dot net [this message] 2005-10-24 19:05 ` [Bug libgcj/24461] " tromey at gcc dot gnu dot org 2005-10-24 19:31 ` tromey at gcc dot gnu dot org 2006-02-04 23:51 ` tromey at gcc dot gnu dot org 2006-03-09 19:02 ` tromey at gcc dot gnu dot org 2006-03-09 20:22 ` tromey at gcc dot gnu dot org 2006-03-09 20:25 ` tromey at gcc dot gnu dot org 2006-03-09 20:27 ` tromey at gcc dot gnu dot org
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20051022115745.30047.qmail@sourceware.org \ --to=gcc-bugzilla@gcc.gnu.org \ --cc=java-prs@gcc.gnu.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).