> From: Oswaldo Olivo [mailto:ozzy...@gmail.com] > Subject: Potential IndexOutBounds in AbstractServletInputStream::readLine() ?
> I was wondering if there is an unintentional potential index of out bounds > exception in AbstractServletInputStream::readLine() ? It's not unintentional. > It seems that "len" is partially sanitized, but the offset parameter 'off' > is not. As the spec requires. > In particular, 'off' could be allowed to be outside of 'buf', causing an > exception while executing the statement b[off++]=(byte)c; Which is an error by the caller, resulting in an exception. > One could change the loop condition to something like > "((c=readInternal())!= -1 && 0<=off && off<b.length)" For what purpose? The return value of -1 specifically means there is no more data to be read. > I believe that the implementation of readLine() in javax.ServletInputStream > handles these border cases by returning -1 whenver an access outside of the > array is attempted, so it doesn't suffer from this problem. Presumably you meant javax.servlet.ServletInputStream, not what you wrote. The readLine() implementation for that class certainly does not do what you describe, nor should it. Read the servlet spec and JavaDoc. > Is this an issue that needs to be changed or is it the intended behavior to > leave the responsibility of sanitizing the parameters to the caller ? Nothing in the spec indicates that the current behavior is inappropriate. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org