[Bug libgcj/24461] array access in either GZIPInputStream, Inflater, natInflate.cc, or zlib
--- Comment #4 from tromey at gcc dot gnu dot org 2006-03-09 19:02 --- Testing a patch. -- tromey at gcc dot gnu dot org changed: What|Removed |Added AssignedTo|unassigned at gcc dot gnu |tromey at gcc dot gnu dot |dot org |org Status|NEW |ASSIGNED Last reconfirmed|2005-10-24 19:05:27 |2006-03-09 19:02:16 date|| http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24461
[Bug libgcj/24461] array access in either GZIPInputStream, Inflater, natInflate.cc, or zlib
--- Comment #5 from tromey at gcc dot gnu dot org 2006-03-09 20:22 --- Subject: Bug 24461 Author: tromey Date: Thu Mar 9 20:21:58 2006 New Revision: 111870 URL: http://gcc.gnu.org/viewcvs?root=gccview=revrev=111870 Log: PR libgcj/24461: * java/util/zip/InflaterInputStream.java (fill): Throw exception if stream is truncated. Modified: trunk/libjava/ChangeLog trunk/libjava/java/util/zip/InflaterInputStream.java -- http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24461
[Bug libgcj/24461] array access in either GZIPInputStream, Inflater, natInflate.cc, or zlib
--- Comment #6 from tromey at gcc dot gnu dot org 2006-03-09 20:25 --- Subject: Bug 24461 Author: tromey Date: Thu Mar 9 20:25:23 2006 New Revision: 111871 URL: http://gcc.gnu.org/viewcvs?root=gccview=revrev=111871 Log: PR libgcj/24461: * java/util/zip/InflaterInputStream.java (fill): Throw exception if stream is truncated. Modified: branches/gcc-4_1-branch/libjava/ChangeLog branches/gcc-4_1-branch/libjava/java/util/zip/InflaterInputStream.java -- http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24461
[Bug libgcj/24461] array access in either GZIPInputStream, Inflater, natInflate.cc, or zlib
--- Comment #7 from tromey at gcc dot gnu dot org 2006-03-09 20:27 --- Fix checked in. -- tromey at gcc dot gnu dot org changed: What|Removed |Added Status|ASSIGNED|RESOLVED Resolution||FIXED Target Milestone|--- |4.1.1 http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24461
[Bug libgcj/24461] array access in either GZIPInputStream, Inflater, natInflate.cc, or zlib
--- Comment #3 from tromey at gcc dot gnu dot org 2006-02-04 23:51 --- *** Bug 25948 has been marked as a duplicate of this bug. *** -- tromey at gcc dot gnu dot org changed: What|Removed |Added CC||GCC at Stolsvik dot com http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24461
[Bug libgcj/24461] array access in either GZIPInputStream, Inflater, natInflate.cc, or zlib
-- tromey at gcc dot gnu dot org changed: What|Removed |Added Status|UNCONFIRMED |NEW Ever Confirmed|0 |1 Last reconfirmed|-00-00 00:00:00 |2005-10-24 19:05:27 date|| http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24461
[Bug libgcj/24461] array access in either GZIPInputStream, Inflater, natInflate.cc, or zlib
--- Comment #2 from tromey at gcc dot gnu dot org 2005-10-24 19:31 --- FWIW, I tried this with jamvm+classpath cvs, and got the expected result. So it does appear to be gcj-specific. -- http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24461
[Bug libgcj/24461] array access in either GZIPInputStream, Inflater, natInflate.cc, or zlib
--- Comment #1 from jrandom-gcc at i2p dot net 2005-10-22 11:57 ---
Found the cause can reproduce it. The bug can be reproduced by dealing with
a truncated gzip stream, as shown below. The fix, I believe, would have
GZIPInputStream using inf.getRemaining() to determine the tmp[] buffer size,
instead of the fixed 8 bytes. Note that classpath does not have the same
GZIPInputStream.read(byte[],int,int), and this bug hasn't been tested on a JVM
using classpath, so it may be gcj-specific.
[EMAIL PROTECTED] /tmp/b $ gcj -o bug --main=gunzipbug gunzipbug.java
[EMAIL PROTECTED] /tmp/b $ ./bug
java.lang.ArrayIndexOutOfBoundsException
at java.lang.System.arraycopy(java.lang.Object, int, java.lang.Object, int,
int) (/usr/local/gcc-4.0.2/lib/libgcj.so.6.0.0)
at java.util.zip.GZIPInputStream.read(byte[], int, int)
(/usr/local/gcc-4.0.2/lib/libgcj.so.6.0.0)
at gunzipbug.main(java.lang.String[]) (Unknown Source)
at gnu.java.lang.MainThread.call_main()
(/usr/local/gcc-4.0.2/lib/libgcj.so.6.0.0)
at gnu.java.lang.MainThread.run() (/usr/local/gcc-4.0.2/lib/libgcj.so.6.0.0)
[EMAIL PROTECTED] /tmp/b $ javac gunzipbug.java
[EMAIL PROTECTED] /tmp/b $ java -cp . gunzipbug
java.io.EOFException: Unexpected end of ZLIB input stream
at java.util.zip.InflaterInputStream.fill(InflaterInputStream.java:215)
at java.util.zip.InflaterInputStream.read(InflaterInputStream.java:134)
at java.util.zip.GZIPInputStream.read(GZIPInputStream.java:87)
at gunzipbug.main(gunzipbug.java:19)
[EMAIL PROTECTED] /tmp/b $ cat gunzipbug.java
import java.util.Random;
import java.util.zip.*;
import java.io.*;
public class gunzipbug {
public static void main(String args[]) {
try {
ByteArrayOutputStream full = new ByteArrayOutputStream(1024);
GZIPOutputStream gzout = new GZIPOutputStream(full);
byte buf[] = new byte[1024];
new Random().nextBytes(buf);
gzout.write(buf);
gzout.close();
byte gzdata[] = full.toByteArray();
// now only read the first 128 bytes of that data
ByteArrayInputStream truncated = new ByteArrayInputStream(gzdata, 0,
128);
GZIPInputStream gzin = new GZIPInputStream(truncated);
byte read[] = new byte[1024];
int cur = 0;
while ( (cur = gzin.read(read, cur, read.length-cur)) != -1)
; //noop
} catch (Exception e) {
e.printStackTrace();
}
}
}
--
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24461
