[prev in list] [next in list] [prev in thread] [next in thread]
List: xmlbeans-dev
Subject: [jira] Resolved: (XMLBEANS-115) ArrayIndexOutOfBounds test case and patch for version 1.0.3
From: "Yana Kadiyska (JIRA)" <xmlbeans-dev () xml ! apache ! org>
Date: 2005-03-22 19:36:25
Message-ID: 962844809.1111520185195.JavaMail.jira () ajax ! apache ! org
[Download RAW message or body]
[ http://issues.apache.org/jira/browse/XMLBEANS-115?page=history ]
Yana Kadiyska resolved XMLBEANS-115:
------------------------------------
Resolution: Fixed
Fix Version: Version 1.0.4
Patch checked in at SVN revision 158152
> ArrayIndexOutOfBounds test case and patch for version 1.0.3
> -----------------------------------------------------------
>
> Key: XMLBEANS-115
> URL: http://issues.apache.org/jira/browse/XMLBEANS-115
> Project: XMLBeans
> Type: Bug
> Components: XmlObject
> Versions: Version 1.0.3
> Environment: JDK 1.4.2, Redhat Enterprise Linux 3.0
> Reporter: Joshua Blatt
> Assignee: Yana Kadiyska
> Fix For: Version 1.0.4
> Attachments: xmlbeans_arrayindexoutofbounds_test.tar.gz
>
> We've seen intermittent ArrayIndexOutOfBounds exceptions thrown by xmlbeans version \
> 1.0.3 in our production environment (JDK 1.4.2, Redhat Enterprise Linux 3.0). A \
> typical stack trace looks like this:
> Caused by: java.lang.ArrayIndexOutOfBoundsException
> at java.lang.System.arraycopy(Native Method) at \
> org.apache.xmlbeans.impl.store.Saver$TextSaver.replace(Saver.java:2057) at \
> org.apache.xmlbeans.impl.store.Saver$TextSaver.entitizeContent(Saver.java:1890) at \
> org.apache.xmlbeans.impl.store.Saver$TextSaver.emitContainer(Saver.java:1369) at \
> org.apache.xmlbeans.impl.store.Saver.processContainer(Saver.java:777) at \
> org.apache.xmlbeans.impl.store.Saver.process(Saver.java:520) at \
> org.apache.xmlbeans.impl.store.Saver$TextSaver.ensure(Saver.java:1660) at \
> org.apache.xmlbeans.impl.store.Saver$TextSaver.read(Saver.java:2150) at \
> org.apache.xmlbeans.impl.store.Saver$TextReader.read(Saver.java:2273) at \
> org.apache.xmlbeans.impl.store.Cursor.save(Cursor.java:3130) at \
> org.apache.xmlbeans.impl.values.XmlObjectBase.save(XmlObjectBase.java:166) at \
> org.apache.xmlbeans.impl.values.XmlObjectBase.save(XmlObjectBase.java:178) at \
> com.overture.service.common.xml.Utils.toString(Utils.java:143)
> ... 31 more
>
> Looking at the org.apache.xmlbeans.impl.store.Saver$TextSaver.replace
> implementation, it's pretty clear that there's a bug in this code. When reserved \
> xml characters like '&', '<', etc. are replaced by their "&", "<", etc. \
> equivalents, all the characters in the _buf buffer are shuffled over to make room \
> for the extra characters. The shuffle, however, does not wrap around to the \
> beginning of the buffer if the extra length required would exceed _buf.length. The \
> result is an intermittent buffer overflow that is more likely the more reserved \
> characters are present in the input. The output below is from a diagnostic \
> System.err.println added to the TextSaver.replace method running our test case:
> [java] _out = 0, _in = 8472, i =7496, _buf.length = 16384, dCch = 9, _free = 7912, \
> replacement = <![CDATA[& [java] _out = 8192, _in = 9754, i =9233, _buf.length = \
> 16384, dCch = 9, _free = 14822, replacement = <![CDATA[> [java] _out = 8192, _in = \
> 11269, i =10514, _buf.length = 16384, dCch = 9, _free = 13307, replacement = \
> <![CDATA[ [java] _out = 8192, _in = 12838, i =12029, _buf.length = 16384, dCch = \
> 9, _free = 11738, replacement = <![CDATA[& [java] _out = 8192, _in = 14241, i \
> =13598, _buf.length = 16384, dCch = 9, _free = 10335, replacement = <![CDATA[? \
> [java] _out = 8192, _in = 15341, i =15002, _buf.length = 16384, dCch = 9, _free = \
> 9235, replacement = <![CDATA[& [java] _out = 8192, _in = 16115, i =16101, \
> _buf.length = 16384, dCch = 4, _free = 8461, replacement = & [java] _out = \
> 8192, _in = 16119, i =16109, _buf.length = 16384, dCch = 4, _free = 8457, \
> replacement = & [java] _out = 8192, _in = 16123, i =16114, _buf.length = \
> 16384, dCch = 3, _free = 8453, replacement = < [java] _out = 8192, _in = 16126, \
> i =16118, _buf.length = 16384, dCch = 4, _free = 8450, replacement = & [java] \
> _out = 8192, _in = 16130, i =16125, _buf.length = 16384, dCch = 3, _free = 8446, \
> replacement = < [java] _out = 8192, _in = 16133, i =16130, _buf.length = 16384, \
> dCch = 4, _free = 8443, replacement = & [java] _out = 8192, _in = 16137, i \
> =16136, _buf.length = 16384, dCch = 3, _free = 8439, replacement = < [java] \
> _out = 0, _in = 1238, i =505, _buf.length = 16384, dCch = 9, _free = 15146, \
> replacement = <![CDATA[< [java] _out = 0, _in = 2140, i =2003, _buf.length = \
> 16384, dCch = 9, _free = 14244, replacement = <![CDATA[ [java] _out = 0, _in = \
> 3041, i =2904, _buf.length = 16384, dCch = 9, _free = 13343, replacement = \
> <![CDATA[? [java] _out = 0, _in = 4658, i =3806, _buf.length = 16384, dCch = 9, \
> _free = 11726, replacement = <![CDATA[& [java] _out = 0, _in = 6069, i =5422, \
> _buf.length = 16384, dCch = 9, _free = 10315, replacement = <![CDATA[ [java] _out \
> = 0, _in = 7485, i =6831, _buf.length = 16384, dCch = 9, _free = 8899, replacement \
> = <![CDATA[& [java] _out = 0, _in = 8513, i =8246, _buf.length = 16384, dCch = 9, \
> _free = 7871, replacement = <![CDATA[& [java] _out = 8192, _in = 9393, i =9275, \
> _buf.length = 16384, dCch = 9, _free = 15183, replacement = <![CDATA[ [java] _out \
> = 8192, _in = 10309, i =10154, _buf.length = 16384, dCch = 9, _free = 14267, \
> replacement = <![CDATA[& [java] _out = 0, _in = 8732, i =7756, _buf.length = \
> 16384, dCch = 9, _free = 7652, replacement = <![CDATA[& [java] _out = 8192, _in = \
> 10014, i =9493, _buf.length = 16384, dCch = 9, _free = 14562, replacement = \
> <![CDATA[> [java] _out = 8192, _in = 11529, i =10774, _buf.length = 16384, dCch = \
> 9, _free = 13047, replacement = <![CDATA[ [java] _out = 8192, _in = 13098, i \
> =12289, _buf.length = 16384, dCch = 9, _free = 11478, replacement = <![CDATA[& \
> [java] _out = 8192, _in = 14501, i =13858, _buf.length = 16384, dCch = 9, _free = \
> 10075, replacement = <![CDATA[? [java] _out = 8192, _in = 15601, i =15262, \
> _buf.length = 16384, dCch = 9, _free = 8975, replacement = <![CDATA[& [java] _out \
> = 8192, _in = 16375, i =16361, _buf.length = 16384, dCch = 4, _free = 8201, \
> replacement = & [java] _out = 8192, _in = 16379, i =16369, _buf.length = \
> 16384, dCch = 4, _free = 8197, replacement = & [java] _out = 8192, _in = \
> 16383, i =16374, _buf.length = 16384, dCch = 3, _free = 8193, replacement = < \
> [java] java.lang.ArrayIndexOutOfBoundsException [java] at \
> java.lang.System.arraycopy(Native Method) [java] at
> org.apache.xmlbeans.impl.store.Saver$TextSaver.replace(Saver.java:2058)
> [java] at
> org.apache.xmlbeans.impl.store.Saver$TextSaver.entitizeContent(Saver.jav
> a:1886)
> [java] at
> org.apache.xmlbeans.impl.store.Saver$TextSaver.emitContainer(Saver.java:
> 1367)
> [java] at
> org.apache.xmlbeans.impl.store.Saver.processContainer(Saver.java:775)
> [java] at org.apache.xmlbeans.impl.store.Saver.process(Saver.java:518)
> [java] at
> org.apache.xmlbeans.impl.store.Saver$TextSaver.ensure(Saver.java:1658)
> [java] at
> org.apache.xmlbeans.impl.store.Saver$TextSaver.read(Saver.java:2151)
> [java] at
> org.apache.xmlbeans.impl.store.Saver$TextReader.read(Saver.java:2274)
> [java] at org.apache.xmlbeans.impl.store.Cursor.save(Cursor.java:3118)
> [java] at
> org.apache.xmlbeans.impl.values.XmlObjectBase.save(XmlObjectBase.java:16
> 6)
> [java] at
> com.overture.test.XmlBeansTest$WorkerThread.run(XmlBeansTest.java:88)
> [java] died at iteration: 32
>
> Attached is the test case that consistently reproduces this problem.
> Inside the tarball is also a patch that has fixed the problem in our environment. \
> Check out the included README for details on both the test case and the fix.
> I think its also possible that this is the cause of this unresolved bug in your \
> bugzilla: http://issues.apache.org/jira/browse/XMLBEANS-87
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@xmlbeans.apache.org
For additional commands, e-mail: dev-help@xmlbeans.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic