Handle possible integer overflow in FastByteArrayOutputStream. patch by Mikhail Stepura; reviewed by Jonathan Ellis for CASSANDRA-7373
Project: http://git-wip-us.apache.org/repos/asf/cassandra/repo Commit: http://git-wip-us.apache.org/repos/asf/cassandra/commit/cccdcb5d Tree: http://git-wip-us.apache.org/repos/asf/cassandra/tree/cccdcb5d Diff: http://git-wip-us.apache.org/repos/asf/cassandra/diff/cccdcb5d Branch: refs/heads/cassandra-2.0 Commit: cccdcb5da9f31b20b7b29a8183434f447f7dd523 Parents: ba103eb Author: Mikhail Stepura <mish...@apache.org> Authored: Wed Jun 11 15:21:15 2014 -0700 Committer: Mikhail Stepura <mish...@apache.org> Committed: Fri Jun 20 14:12:54 2014 +1100 ---------------------------------------------------------------------- CHANGES.txt | 1 + .../apache/cassandra/io/util/FastByteArrayOutputStream.java | 7 +++++-- 2 files changed, 6 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cassandra/blob/cccdcb5d/CHANGES.txt ---------------------------------------------------------------------- diff --git a/CHANGES.txt b/CHANGES.txt index 49afb06..186b4a1 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,4 +1,5 @@ 1.2.17 + * Handle possible integer overflow in FastByteArrayOutputStream (CASSANDRA-7373) * cqlsh: 'ascii' values weren't formatted as text (CASSANDRA-7407) * cqlsh: ignore .cassandra permission errors (CASSANDRA-7266) * Errors in FlushRunnable may leave threads hung (CASSANDRA-7275) http://git-wip-us.apache.org/repos/asf/cassandra/blob/cccdcb5d/src/java/org/apache/cassandra/io/util/FastByteArrayOutputStream.java ---------------------------------------------------------------------- diff --git a/src/java/org/apache/cassandra/io/util/FastByteArrayOutputStream.java b/src/java/org/apache/cassandra/io/util/FastByteArrayOutputStream.java index 0e95610..60cc64a 100644 --- a/src/java/org/apache/cassandra/io/util/FastByteArrayOutputStream.java +++ b/src/java/org/apache/cassandra/io/util/FastByteArrayOutputStream.java @@ -101,7 +101,9 @@ public class FastByteArrayOutputStream extends OutputStream { return; } - byte[] newbuf = new byte[(count + i) * 2]; + long expectedExtent = (count + i) * 2L; //long to deal with possible int overflow + int newSize = (int) Math.min(Integer.MAX_VALUE - 8, expectedExtent); // MAX_ARRAY_SIZE + byte[] newbuf = new byte[newSize]; System.arraycopy(buf, 0, newbuf, 0, count); buf = newbuf; } @@ -209,7 +211,8 @@ public class FastByteArrayOutputStream extends OutputStream { public void write(byte[] buffer, int offset, int len) { // avoid int overflow if (offset < 0 || offset > buffer.length || len < 0 - || len > buffer.length - offset) { + || len > buffer.length - offset + || this.count + len < 0) { throw new IndexOutOfBoundsException(); } if (len == 0) {