'[jira] Resolved: (XMLBEANS-115) ArrayIndexOutOfBounds test case and patch for version 1.0.3'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       xmlbeans-dev
Subject:    [jira] Resolved: (XMLBEANS-115) ArrayIndexOutOfBounds test case and patch for version 1.0.3
From:       "Yana Kadiyska (JIRA)" <xmlbeans-dev () xml ! apache ! org>
Date:       2005-03-22 19:36:25
Message-ID: 962844809.1111520185195.JavaMail.jira () ajax ! apache ! org
[Download RAW message or body]

     [ http://issues.apache.org/jira/browse/XMLBEANS-115?page=history ]
     
Yana Kadiyska resolved XMLBEANS-115:
------------------------------------

     Resolution: Fixed
    Fix Version: Version 1.0.4

Patch checked in at SVN revision 158152

> ArrayIndexOutOfBounds test case and patch for version 1.0.3
> -----------------------------------------------------------
> 
> Key: XMLBEANS-115
> URL: http://issues.apache.org/jira/browse/XMLBEANS-115
> Project: XMLBeans
> Type: Bug
> Components: XmlObject
> Versions: Version 1.0.3
> Environment: JDK 1.4.2, Redhat Enterprise Linux 3.0
> Reporter: Joshua Blatt
> Assignee: Yana Kadiyska
> Fix For: Version 1.0.4
> Attachments: xmlbeans_arrayindexoutofbounds_test.tar.gz
> 
> We've seen intermittent ArrayIndexOutOfBounds exceptions thrown by xmlbeans version \
> 1.0.3 in our production environment (JDK 1.4.2, Redhat Enterprise Linux 3.0).  A \
> typical stack trace looks like this: 
> Caused by: java.lang.ArrayIndexOutOfBoundsException
> at java.lang.System.arraycopy(Native Method) at \
> org.apache.xmlbeans.impl.store.Saver$TextSaver.replace(Saver.java:2057) at \
> org.apache.xmlbeans.impl.store.Saver$TextSaver.entitizeContent(Saver.java:1890)  at \
> org.apache.xmlbeans.impl.store.Saver$TextSaver.emitContainer(Saver.java:1369) at \
> org.apache.xmlbeans.impl.store.Saver.processContainer(Saver.java:777) at \
> org.apache.xmlbeans.impl.store.Saver.process(Saver.java:520) at \
> org.apache.xmlbeans.impl.store.Saver$TextSaver.ensure(Saver.java:1660) at \
> org.apache.xmlbeans.impl.store.Saver$TextSaver.read(Saver.java:2150) at \
> org.apache.xmlbeans.impl.store.Saver$TextReader.read(Saver.java:2273) at \
> org.apache.xmlbeans.impl.store.Cursor.save(Cursor.java:3130) at \
> org.apache.xmlbeans.impl.values.XmlObjectBase.save(XmlObjectBase.java:166) at \
> org.apache.xmlbeans.impl.values.XmlObjectBase.save(XmlObjectBase.java:178) at \
>                 com.overture.service.common.xml.Utils.toString(Utils.java:143)
> ... 31 more
> 
> Looking at the org.apache.xmlbeans.impl.store.Saver$TextSaver.replace
> implementation, it's pretty clear that there's a bug in this code.  When reserved \
> xml characters like '&', '<', etc. are replaced by their "&amp;", "&lt;", etc. \
> equivalents, all the characters in the _buf buffer are shuffled over to make room \
> for the extra characters.  The shuffle, however, does not wrap around to the \
> beginning of the buffer if the extra length required would exceed _buf.length.  The \
> result is an intermittent buffer overflow that is more likely the more reserved \
> characters are present in the input. The output below is from a diagnostic \
> System.err.println added to the TextSaver.replace method running our test case: 
> [java] _out = 0, _in = 8472, i =7496, _buf.length = 16384, dCch = 9, _free = 7912, \
> replacement = <![CDATA[&  [java] _out = 8192, _in = 9754, i =9233, _buf.length = \
> 16384, dCch = 9, _free = 14822, replacement = <![CDATA[>  [java] _out = 8192, _in = \
> 11269, i =10514, _buf.length = 16384, dCch = 9, _free = 13307, replacement = \
> <![CDATA[  [java] _out = 8192, _in = 12838, i =12029, _buf.length = 16384, dCch = \
> 9, _free = 11738, replacement = <![CDATA[&  [java] _out = 8192, _in = 14241, i \
> =13598, _buf.length = 16384, dCch = 9, _free = 10335, replacement = <![CDATA[? \
> [java] _out = 8192, _in = 15341, i =15002, _buf.length = 16384, dCch = 9, _free = \
> 9235, replacement = <![CDATA[&  [java] _out = 8192, _in = 16115, i =16101, \
> _buf.length = 16384, dCch = 4, _free = 8461, replacement = &amp;  [java] _out = \
> 8192, _in = 16119, i =16109, _buf.length = 16384, dCch = 4, _free = 8457, \
> replacement = &amp;  [java] _out = 8192, _in = 16123, i =16114, _buf.length = \
> 16384, dCch = 3, _free = 8453, replacement = &lt;  [java] _out = 8192, _in = 16126, \
> i =16118, _buf.length = 16384, dCch = 4, _free = 8450, replacement = &amp;  [java] \
> _out = 8192, _in = 16130, i =16125, _buf.length = 16384, dCch = 3, _free = 8446, \
> replacement = &lt;  [java] _out = 8192, _in = 16133, i =16130, _buf.length = 16384, \
> dCch = 4, _free = 8443, replacement = &amp;  [java] _out = 8192, _in = 16137, i \
> =16136, _buf.length = 16384, dCch = 3, _free = 8439, replacement = &lt;  [java] \
> _out = 0, _in = 1238, i =505, _buf.length = 16384, dCch = 9, _free = 15146, \
> replacement = <![CDATA[<  [java] _out = 0, _in = 2140, i =2003, _buf.length = \
> 16384, dCch = 9, _free = 14244, replacement = <![CDATA[  [java] _out = 0, _in = \
> 3041, i =2904, _buf.length = 16384, dCch = 9, _free = 13343, replacement = \
> <![CDATA[? [java] _out = 0, _in = 4658, i =3806, _buf.length = 16384, dCch = 9, \
> _free = 11726, replacement = <![CDATA[&  [java] _out = 0, _in = 6069, i =5422, \
> _buf.length = 16384, dCch = 9, _free = 10315, replacement = <![CDATA[  [java] _out \
> = 0, _in = 7485, i =6831, _buf.length = 16384, dCch = 9, _free = 8899, replacement \
> = <![CDATA[&  [java] _out = 0, _in = 8513, i =8246, _buf.length = 16384, dCch = 9, \
> _free = 7871, replacement = <![CDATA[&  [java] _out = 8192, _in = 9393, i =9275, \
> _buf.length = 16384, dCch = 9, _free = 15183, replacement = <![CDATA[  [java] _out \
> = 8192, _in = 10309, i =10154, _buf.length = 16384, dCch = 9, _free = 14267, \
> replacement = <![CDATA[&  [java] _out = 0, _in = 8732, i =7756, _buf.length = \
> 16384, dCch = 9, _free = 7652, replacement = <![CDATA[&  [java] _out = 8192, _in = \
> 10014, i =9493, _buf.length = 16384, dCch = 9, _free = 14562, replacement = \
> <![CDATA[>  [java] _out = 8192, _in = 11529, i =10774, _buf.length = 16384, dCch = \
> 9, _free = 13047, replacement = <![CDATA[  [java] _out = 8192, _in = 13098, i \
> =12289, _buf.length = 16384, dCch = 9, _free = 11478, replacement = <![CDATA[&  \
> [java] _out = 8192, _in = 14501, i =13858, _buf.length = 16384, dCch = 9, _free = \
> 10075, replacement = <![CDATA[? [java] _out = 8192, _in = 15601, i =15262, \
> _buf.length = 16384, dCch = 9, _free = 8975, replacement = <![CDATA[&  [java] _out \
> = 8192, _in = 16375, i =16361, _buf.length = 16384, dCch = 4, _free = 8201, \
> replacement = &amp;  [java] _out = 8192, _in = 16379, i =16369, _buf.length = \
> 16384, dCch = 4, _free = 8197, replacement = &amp;  [java] _out = 8192, _in = \
> 16383, i =16374, _buf.length = 16384, dCch = 3, _free = 8193, replacement = &lt;  \
> [java] java.lang.ArrayIndexOutOfBoundsException [java] at \
> java.lang.System.arraycopy(Native Method)  [java] at
> org.apache.xmlbeans.impl.store.Saver$TextSaver.replace(Saver.java:2058)
> [java] at
> org.apache.xmlbeans.impl.store.Saver$TextSaver.entitizeContent(Saver.jav
> a:1886)
> [java] at
> org.apache.xmlbeans.impl.store.Saver$TextSaver.emitContainer(Saver.java:
> 1367)
> [java] at
> org.apache.xmlbeans.impl.store.Saver.processContainer(Saver.java:775)
> [java] at org.apache.xmlbeans.impl.store.Saver.process(Saver.java:518)
> [java] at
> org.apache.xmlbeans.impl.store.Saver$TextSaver.ensure(Saver.java:1658)
> [java] at
> org.apache.xmlbeans.impl.store.Saver$TextSaver.read(Saver.java:2151)
> [java] at
> org.apache.xmlbeans.impl.store.Saver$TextReader.read(Saver.java:2274)
> [java] at org.apache.xmlbeans.impl.store.Cursor.save(Cursor.java:3118)
> [java] at
> org.apache.xmlbeans.impl.values.XmlObjectBase.save(XmlObjectBase.java:16
> 6)
> [java] at
> com.overture.test.XmlBeansTest$WorkerThread.run(XmlBeansTest.java:88)
> [java] died at iteration: 32
> 
> Attached is the test case that consistently reproduces this problem.
> Inside the tarball is also a patch that has fixed the problem in our environment.  \
> Check out the included README for details on both the test case and the fix. 
> I think its also possible that this is the cause of this unresolved bug in your \
> bugzilla: http://issues.apache.org/jira/browse/XMLBEANS-87

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@xmlbeans.apache.org
For additional commands, e-mail: dev-help@xmlbeans.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic