From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 30066 invoked by alias); 22 Oct 2005 11:57:45 -0000 Mailing-List: contact java-prs-help@gcc.gnu.org; run by ezmlm Precedence: bulk List-Subscribe: List-Archive: List-Post: List-Help: , Sender: java-prs-owner@gcc.gnu.org Received: (qmail 30048 invoked by uid 48); 22 Oct 2005 11:57:45 -0000 Date: Sat, 22 Oct 2005 11:57:00 -0000 Message-ID: <20051022115745.30047.qmail@sourceware.org> X-Bugzilla-Reason: CC References: Subject: [Bug libgcj/24461] array access in either GZIPInputStream, Inflater, natInflate.cc, or zlib In-Reply-To: Reply-To: gcc-bugzilla@gcc.gnu.org To: java-prs@gcc.gnu.org From: "jrandom-gcc at i2p dot net" X-SW-Source: 2005-q4/txt/msg00189.txt.bz2 List-Id: ------- Comment #1 from jrandom-gcc at i2p dot net 2005-10-22 11:57 ------- Found the cause & can reproduce it. The bug can be reproduced by dealing with a truncated gzip stream, as shown below. The fix, I believe, would have GZIPInputStream using inf.getRemaining() to determine the tmp[] buffer size, instead of the fixed 8 bytes. Note that classpath does not have the same GZIPInputStream.read(byte[],int,int), and this bug hasn't been tested on a JVM using classpath, so it may be gcj-specific. jrandom@betty /tmp/b $ gcj -o bug --main=gunzipbug gunzipbug.java jrandom@betty /tmp/b $ ./bug java.lang.ArrayIndexOutOfBoundsException at java.lang.System.arraycopy(java.lang.Object, int, java.lang.Object, int, int) (/usr/local/gcc-4.0.2/lib/libgcj.so.6.0.0) at java.util.zip.GZIPInputStream.read(byte[], int, int) (/usr/local/gcc-4.0.2/lib/libgcj.so.6.0.0) at gunzipbug.main(java.lang.String[]) (Unknown Source) at gnu.java.lang.MainThread.call_main() (/usr/local/gcc-4.0.2/lib/libgcj.so.6.0.0) at gnu.java.lang.MainThread.run() (/usr/local/gcc-4.0.2/lib/libgcj.so.6.0.0) jrandom@betty /tmp/b $ javac gunzipbug.java jrandom@betty /tmp/b $ java -cp . gunzipbug java.io.EOFException: Unexpected end of ZLIB input stream at java.util.zip.InflaterInputStream.fill(InflaterInputStream.java:215) at java.util.zip.InflaterInputStream.read(InflaterInputStream.java:134) at java.util.zip.GZIPInputStream.read(GZIPInputStream.java:87) at gunzipbug.main(gunzipbug.java:19) jrandom@betty /tmp/b $ cat gunzipbug.java import java.util.Random; import java.util.zip.*; import java.io.*; public class gunzipbug { public static void main(String args[]) { try { ByteArrayOutputStream full = new ByteArrayOutputStream(1024); GZIPOutputStream gzout = new GZIPOutputStream(full); byte buf[] = new byte[1024]; new Random().nextBytes(buf); gzout.write(buf); gzout.close(); byte gzdata[] = full.toByteArray(); // now only read the first 128 bytes of that data ByteArrayInputStream truncated = new ByteArrayInputStream(gzdata, 0, 128); GZIPInputStream gzin = new GZIPInputStream(truncated); byte read[] = new byte[1024]; int cur = 0; while ( (cur = gzin.read(read, cur, read.length-cur)) != -1) ; //noop } catch (Exception e) { e.printStackTrace(); } } } -- http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24461