On Wed, 29 Nov 2023 22:49:17 GMT, Markus KARG <d...@openjdk.org> wrote:
>> Buffer copy was not there before, and defensive copy was never present in >> `ByteArrayInputStream` as well: >> https://github.com/openjdk/jdk/blob/9a6ca233c7e91ffa2ce9451568b3be88ccd04504/src/java.base/share/classes/java/io/ByteArrayInputStream.java#L213 > > Alan asked for this, and for good reason: While we implicitly trust > subclasses as the buffer is "theirs" as part of the inheritance, we do not > know where target stream comes from. It could be an injected verhicle to > perform (at least) the following: > * Leaking data. The target stream could access data beyond the intended > region. > * Poisoning. The target stream could write into the buffer. As Alan pointed out, it is a bug (actually even a security risk), so BAIS should get fixed, too. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/10525#discussion_r1409958304
