[Bug libgcj/24461] array access in either GZIPInputStream, Inflater, natInflate.cc, or zlib
--- Comment #4 from tromey at gcc dot gnu dot org 2006-03-09 19:02 --- Testing a patch. -- tromey at gcc dot gnu dot org changed: What|Removed |Added AssignedTo|unassigned at gcc dot gnu |tromey at gcc dot gnu dot |dot org |org Status|NEW |ASSIGNED Last reconfirmed|2005-10-24 19:05:27 |2006-03-09 19:02:16 date|| http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24461
[Bug libgcj/24461] array access in either GZIPInputStream, Inflater, natInflate.cc, or zlib
--- Comment #5 from tromey at gcc dot gnu dot org 2006-03-09 20:22 --- Subject: Bug 24461 Author: tromey Date: Thu Mar 9 20:21:58 2006 New Revision: 111870 URL: http://gcc.gnu.org/viewcvs?root=gccview=revrev=111870 Log: PR libgcj/24461: * java/util/zip/InflaterInputStream.java (fill): Throw exception if stream is truncated. Modified: trunk/libjava/ChangeLog trunk/libjava/java/util/zip/InflaterInputStream.java -- http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24461
[Bug libgcj/24461] array access in either GZIPInputStream, Inflater, natInflate.cc, or zlib
--- Comment #6 from tromey at gcc dot gnu dot org 2006-03-09 20:25 --- Subject: Bug 24461 Author: tromey Date: Thu Mar 9 20:25:23 2006 New Revision: 111871 URL: http://gcc.gnu.org/viewcvs?root=gccview=revrev=111871 Log: PR libgcj/24461: * java/util/zip/InflaterInputStream.java (fill): Throw exception if stream is truncated. Modified: branches/gcc-4_1-branch/libjava/ChangeLog branches/gcc-4_1-branch/libjava/java/util/zip/InflaterInputStream.java -- http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24461
[Bug libgcj/24461] array access in either GZIPInputStream, Inflater, natInflate.cc, or zlib
--- Comment #7 from tromey at gcc dot gnu dot org 2006-03-09 20:27 --- Fix checked in. -- tromey at gcc dot gnu dot org changed: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution||FIXED Target Milestone|--- |4.1.1 http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24461
[Bug libgcj/24461] array access in either GZIPInputStream, Inflater, natInflate.cc, or zlib
--- Comment #3 from tromey at gcc dot gnu dot org 2006-02-04 23:51 --- *** Bug 25948 has been marked as a duplicate of this bug. *** -- tromey at gcc dot gnu dot org changed: What|Removed |Added CC||GCC at Stolsvik dot com http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24461
[Bug libgcj/24461] array access in either GZIPInputStream, Inflater, natInflate.cc, or zlib
-- tromey at gcc dot gnu dot org changed: What|Removed |Added Status|UNCONFIRMED |NEW Ever Confirmed|0 |1 Last reconfirmed|-00-00 00:00:00 |2005-10-24 19:05:27 date|| http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24461
[Bug libgcj/24461] array access in either GZIPInputStream, Inflater, natInflate.cc, or zlib
--- Comment #2 from tromey at gcc dot gnu dot org 2005-10-24 19:31 --- FWIW, I tried this with jamvm+classpath cvs, and got the expected result. So it does appear to be gcj-specific. -- http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24461
[Bug libgcj/24461] array access in either GZIPInputStream, Inflater, natInflate.cc, or zlib
--- Comment #1 from jrandom-gcc at i2p dot net 2005-10-22 11:57 --- Found the cause can reproduce it. The bug can be reproduced by dealing with a truncated gzip stream, as shown below. The fix, I believe, would have GZIPInputStream using inf.getRemaining() to determine the tmp[] buffer size, instead of the fixed 8 bytes. Note that classpath does not have the same GZIPInputStream.read(byte[],int,int), and this bug hasn't been tested on a JVM using classpath, so it may be gcj-specific. [EMAIL PROTECTED] /tmp/b $ gcj -o bug --main=gunzipbug gunzipbug.java [EMAIL PROTECTED] /tmp/b $ ./bug java.lang.ArrayIndexOutOfBoundsException at java.lang.System.arraycopy(java.lang.Object, int, java.lang.Object, int, int) (/usr/local/gcc-4.0.2/lib/libgcj.so.6.0.0) at java.util.zip.GZIPInputStream.read(byte[], int, int) (/usr/local/gcc-4.0.2/lib/libgcj.so.6.0.0) at gunzipbug.main(java.lang.String[]) (Unknown Source) at gnu.java.lang.MainThread.call_main() (/usr/local/gcc-4.0.2/lib/libgcj.so.6.0.0) at gnu.java.lang.MainThread.run() (/usr/local/gcc-4.0.2/lib/libgcj.so.6.0.0) [EMAIL PROTECTED] /tmp/b $ javac gunzipbug.java [EMAIL PROTECTED] /tmp/b $ java -cp . gunzipbug java.io.EOFException: Unexpected end of ZLIB input stream at java.util.zip.InflaterInputStream.fill(InflaterInputStream.java:215) at java.util.zip.InflaterInputStream.read(InflaterInputStream.java:134) at java.util.zip.GZIPInputStream.read(GZIPInputStream.java:87) at gunzipbug.main(gunzipbug.java:19) [EMAIL PROTECTED] /tmp/b $ cat gunzipbug.java import java.util.Random; import java.util.zip.*; import java.io.*; public class gunzipbug { public static void main(String args[]) { try { ByteArrayOutputStream full = new ByteArrayOutputStream(1024); GZIPOutputStream gzout = new GZIPOutputStream(full); byte buf[] = new byte[1024]; new Random().nextBytes(buf); gzout.write(buf); gzout.close(); byte gzdata[] = full.toByteArray(); // now only read the first 128 bytes of that data ByteArrayInputStream truncated = new ByteArrayInputStream(gzdata, 0, 128); GZIPInputStream gzin = new GZIPInputStream(truncated); byte read[] = new byte[1024]; int cur = 0; while ( (cur = gzin.read(read, cur, read.length-cur)) != -1) ; //noop } catch (Exception e) { e.printStackTrace(); } } } -- http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24461