RFR: 8282578: AIOOBE in javax.sound.sampled.Clip [v2]
Alexander Zuev
kizune at openjdk.org
Wed Dec 7 21:23:55 UTC 2022
On Wed, 7 Dec 2022 21:15:30 GMT, Alexander Zuev <kizune at openjdk.org> wrote:
>> Length check won't help here:
>>
>>
>> int[] data = new int[100];
>> if (data.length < 8) {
>> return;
>> }
>> int[] destinations = new int[(data.length - 7) / 2];
>> int[] ranges = new int[(data.length - 7) / 2];
>> int ix = 0;
>> for (int j = 6; j < data.length - 1; j += 2) {
>> destinations[ix] = data[j] & 0xFF;
>> ranges[ix] = data[j + 1] & 0xFF;
>> ix++;
>> }
>>
>> `Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: Index 46 out of bounds for length 46`
>>
>>
>> We might want to add more test cases to the test.
>
>> Length check won't help here:
>
> I think the problem here is in the original code: the array allocation was reused across 3 places and it reserved buffers for ranges and destinations that should load up the remaining of data from the offset 7, but in first two places are trying to load data from offset 6, which causes buffer overflow. The idea of my new fix here is to create a proper buffers.
> We might want to add more test cases to the test.
That would be an extensive task, there is a set of the tests being run by third party - and that's them who created the initial issue. I do not think it is practical to bring all the cases they test here. That testing takes a very long time.
-------------
PR: https://git.openjdk.org/jdk/pull/9016
More information about the client-libs-dev
mailing list