FULL PRODUCT VERSION : java version "1.6.0_0" OpenJDK Runtime Environment (build 1.6.0_0-b12) OpenJDK Core VM (build 14.0-b08, interpreted mode) (built from icedtea6-ce9956fe8908) ADDITIONAL OS VERSION INFORMATION : All platforms A DESCRIPTION OF THE PROBLEM : In jdk/src/share/native/java/io/io_util.c, both readBytes and writeBytes include the following array bounds check: if ((off < 0) || (off > datalen) || (len < 0) || ((off + len) > datalen) || ((off + len) < 0)) { JNU_ThrowByName(env, "java/lang/IndexOutOfBoundsException", 0); return -1; } off, len and datalen are all signed 32-bit integers. The result of (off + len) is undefined in C if the result overflows, which can cause the exception not to be thrown. This causes testsuite failures on 32-bit Linux PowerPC on Fedora 10. STEPS TO FOLLOW TO REPRODUCE THE PROBLEM : Compile the test case and run it on 32-bit Linux PowerPC on Fedora 10. EXPECTED VERSUS ACTUAL BEHAVIOR : EXPECTED - Exception in thread "main" java.lang.IndexOutOfBoundsException at java.io.FileInputStream.readBytes(Native Method) at java.io.FileInputStream.read(FileInputStream.java:236) at Test.main(Test.java:5) ACTUAL - Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException at java.io.FileInputStream.readBytes(Native Method) at java.io.FileInputStream.read(FileInputStream.java:236) at Test.main(Test.java:5) Note that the thrown exception is different; I'm guessing it comes from the (*env)->SetByteArrayRegion further down readBytes. REPRODUCIBILITY : This bug can be reproduced always. ---------- BEGIN SOURCE ---------- import java.io.FileInputStream; class Test { public static void main(String[] args) throws Exception { byte[] b = new byte[20]; (new FileInputStream("/bin/ls")).read(b, 1, 0x7fffffff); } } ---------- END SOURCE ---------- CUSTOMER SUBMITTED WORKAROUND : http://icedtea.classpath.org/hg/icedtea6/file/ce9956fe8908/patches/icedtea-io_util-overflow.patch
|