-
Bug
-
Resolution: Unresolved
-
P4
-
None
-
9
-
x86_64
-
linux
FULL PRODUCT VERSION :
java version "9"
Java(TM) SE Runtime Environment (build 9+181)
Java HotSpot(TM) 64-Bit Server VM (build 9+181, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Linux 4.11.12-100.fc24.x86_64 #1 SMP Fri Jul 21 17:35:20 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
A DESCRIPTION OF THE PROBLEM :
java.lang.StringCoding.encodeUTF8 (line 505) does not check for array bounds when allocating a double-sized array, when encoding a String into UTF-8 format. While the conversion would be possible (the resulting array would fit to array-size limit), an exception is thrown (stacktrace below) due to integer overflow.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
A test case is provided below.
I have actually triggered this bug when compiling a fat JAR using jaotc (JDK9 experimental feature).
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Exception in thread "main" java.lang.NegativeArraySizeException
at java.base/java.lang.StringCoding.encodeUTF8(StringCoding.java:505)
at java.base/java.lang.StringCoding.encode(StringCoding.java:593)
at java.base/java.lang.String.getBytes(String.java:975)
at StringCodingOverflow.main(StringCodingOverflow.java:8)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.nio.charset.Charset;
import java.util.Arrays;
public class StringCodingOverflow {
public static void main(String[] args) {
char[] chars = new char[(Integer.MAX_VALUE >> 1) + 1];
Arrays.fill(chars, 'A');
byte[] bytes = new String(chars).getBytes(Charset.forName("UTF-8"));
System.out.printf("%d chars -> %d bytes", chars.length, bytes.length);
}
}
---------- END SOURCE ----------
java version "9"
Java(TM) SE Runtime Environment (build 9+181)
Java HotSpot(TM) 64-Bit Server VM (build 9+181, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Linux 4.11.12-100.fc24.x86_64 #1 SMP Fri Jul 21 17:35:20 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
A DESCRIPTION OF THE PROBLEM :
java.lang.StringCoding.encodeUTF8 (line 505) does not check for array bounds when allocating a double-sized array, when encoding a String into UTF-8 format. While the conversion would be possible (the resulting array would fit to array-size limit), an exception is thrown (stacktrace below) due to integer overflow.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
A test case is provided below.
I have actually triggered this bug when compiling a fat JAR using jaotc (JDK9 experimental feature).
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Exception in thread "main" java.lang.NegativeArraySizeException
at java.base/java.lang.StringCoding.encodeUTF8(StringCoding.java:505)
at java.base/java.lang.StringCoding.encode(StringCoding.java:593)
at java.base/java.lang.String.getBytes(String.java:975)
at StringCodingOverflow.main(StringCodingOverflow.java:8)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.nio.charset.Charset;
import java.util.Arrays;
public class StringCodingOverflow {
public static void main(String[] args) {
char[] chars = new char[(Integer.MAX_VALUE >> 1) + 1];
Arrays.fill(chars, 'A');
byte[] bytes = new String(chars).getBytes(Charset.forName("UTF-8"));
System.out.printf("%d chars -> %d bytes", chars.length, bytes.length);
}
}
---------- END SOURCE ----------