elharo opened a new issue, #349:
URL: https://github.com/apache/maven-filtering/issues/349

   ### Affected version
   
   HEAD
   
   ### Bug description
   
   
   
   File: 
src/main/java/org/apache/maven/shared/filtering/MultiDelimiterInterpolatorFilterReaderLineEnding.java
   
   Lines 223 and 246 — The escape-detection loop (line 223) and 
delimiter-detection loop (line 246) are missing ch == -1 EOF checks. The 
equivalent single-delimiter class InterpolatorFilterReaderLineEnding correctly 
includes these checks (lines 206 and 221).
   
   In the escape loop (line 223):
   
   if (ch != getEscapeString().charAt(i) || ch == '\n' && 
!supportMultiLineFiltering) {
   
   Missing: || ch == -1
   
   In the delimiter loop (line 246):
   
   if (ch != begin.charAt(i) || ch == '\n' && !supportMultiLineFiltering) {
   
   Missing: || ch == -1
   
   When EOF (-1) is encountered during escape string or begin-token matching, 
(char) ch casts -1 to 0xFFFF, which is appended to the key StringBuilder as a 
garbage character. In the escape loop this is partially mitigated because the 
mismatch branch clears the key (key.setLength(0)), but the garbage still 
appears in the key transiently and the key.append((char) ch) at line 221 runs 
before any check. In the delimiter loop the garbage char is silently consumed.
   
   Impact: When a file ends during a begin-token or escape-string sequence, the 
reader can output corrupted data (garbage character inserted) or skip bytes.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to