RFR: 8282578: AIOOBE in javax.sound.sampled.Clip [v2]

Alexander Zvegintsev azvegint at openjdk.org
Wed Dec 7 19:46:06 UTC 2022 

On Wed, 7 Dec 2022 18:53:32 GMT, Alexander Zuev <kizune at openjdk.org> wrote:

>> src/java.desktop/share/classes/com/sun/media/sound/SoftMainMixer.java line 166:
>> 
>>> 164:                                         break;
>>> 165:                                     }
>>> 166:                                     // http://www.midi.org/about-midi/tuning_extens.shtml
>> 
>> Unrelated to change, but looks like those links become unavailable years ago.
>
> Yes. That's the problem referencing the external site for information. Unfortunately the documentation layout on midi site changed and one needs to read trough all of it to figure out the correct path that both relates to the midi-1.0 standard that we support and is not overwritten by some later addendum making it non-informative.

We might want to track this under some issue, if not done already.

>> src/java.desktop/share/classes/com/sun/media/sound/SoftMainMixer.java line 406:
>> 
>>> 404:                                     int ix = 0;
>>> 405:                                     for (int j = 6; j < data.length - 1; j += 2) {
>>> 406:                                         destinations[ix] = data[j] & 0xFF;
>> 
>> Here is another possible AIOOOBE
>> 
>> e.g. if `data` length is 8, we will have `destination` and `ranges` length of 0:
>> 
>> 
>> int[] data = new int[8];
>> 
>> System.out.println("data len " + data.length);
>> if (data.length < 7) {
>>     System.out.println("Prevent");
>>     return;
>> }
>> 
>> int newSize = (data.length - 7) / 2;
>> System.out.println("new size " + newSize);
>> 
>> int[] destinations = new int[newSize];
>> int[] ranges = new int[newSize];
>> int ix = 0;
>> for (int j = 6; j < data.length - 1; j += 2) {
>>     System.out.println("index %d %d".formatted(j, ix) );
>>     destinations[ix] = data[j] & 0xFF;
>>     System.out.println("index " + (j + 1));
>>     ranges[ix] = data[j + 1] & 0xFF;
>>     ix++;
>> }
>> 
>> 
>> Same applies to similar cases below.
>
> Ok, i think there are 3 places total with this possibility when increment goes by 2 so fixed them all.

Length check won't help here:


  int[] data = new int[100];
  if (data.length < 8) {
      return;
  }
  int[] destinations = new int[(data.length - 7) / 2];
  int[] ranges = new int[(data.length - 7) / 2];
  int ix = 0;
  for (int j = 6; j < data.length - 1; j += 2) {
      destinations[ix] = data[j] & 0xFF;
      ranges[ix] = data[j + 1] & 0xFF;
      ix++;
  }

`Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: Index 46 out of bounds for length 46`


We might want to add more test cases to the test.

-------------

PR: https://git.openjdk.org/jdk/pull/9016

More information about the client-libs-dev mailing list