[jira] [Created] (LUCENE-8536) The bytes parameter of the copy can be overflowed.

Thu, 18 Oct 2018 01:47:20 -0700 

Hao Zhong created LUCENE-8536:
---------------------------------

             Summary: The bytes parameter of the copy can be overflowed.
                 Key: LUCENE-8536
                 URL: https://issues.apache.org/jira/browse/LUCENE-8536
             Project: Lucene - Core
          Issue Type: Bug
          Components: -tools
    Affects Versions: trunk
            Reporter: Hao Zhong


The copy method of the PagedBytes class is as follow:

 

 
{code:java}
public void copy(BytesRef bytes, BytesRef out) {
int left = blockSize - upto;
if (bytes.length > left || currentBlock==null) {
if (currentBlock != null) {
addBlock(currentBlock);
didSkipBytes = true;
}
currentBlock = new byte[blockSize];
upto = 0;
left = blockSize;
assert bytes.length <= blockSize;
// TODO: we could also support variable block sizes
}

out.bytes = currentBlock;
out.offset = upto;
out.length = bytes.length;

System.arraycopy(bytes.bytes, bytes.offset, currentBlock, upto, bytes.length);
upto += bytes.length;
}
{code}
The method does not throw exceptions for illegal inputs. In the same class, the 
copyUsingLengthPrefix method checks the input value"

 

 

 
{code:java}
public long copyUsingLengthPrefix(BytesRef bytes) {
if (bytes.length >= 32768) {
throw new IllegalArgumentException("max length is 32767 (got " + bytes.length + 
")");
}

if (upto + bytes.length + 2 > blockSize) {
if (bytes.length + 2 > blockSize) {
throw new IllegalArgumentException("block size " + blockSize + " is too small 
to store length " + bytes.length + " bytes");
}
if (currentBlock != null) {
addBlock(currentBlock); 
}
currentBlock = new byte[blockSize];
upto = 0;
}

final long pointer = getPointer();

if (bytes.length < 128) {
currentBlock[upto++] = (byte) bytes.length;
} else {
currentBlock[upto++] = (byte) (0x80 | (bytes.length >> 8));
currentBlock[upto++] = (byte) (bytes.length & 0xff);
}
System.arraycopy(bytes.bytes, bytes.offset, currentBlock, upto, bytes.length);
upto += bytes.length;

return pointer;
}
{code}
I understand that in the first method, 
{code:java}
assert bytes.length <= blockSize;{code}
checks whether the length of the bytes is too large. However,  the method does 
not check blockSize either. As a result, the length of the bytes can still be 
overflowed, if blockSize is too large.  In addition, the second method also 
checks whether 
{code:java}
bytes.length + 2 > blockSize{code}
Shall the first method also checks the requirement?

 

 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to