[
https://issues.apache.org/jira/browse/COLLECTIONS-701?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17938768#comment-17938768
]
Volodymyr Siedlecki commented on COLLECTIONS-701:
-------------------------------------------------
If you add the set to itself once, no stack overflow occurs, but, if you add it
twice, it does. Not a very realistic scenario in practice, but still
possible for an attacker to abuse it potentially. Example code:
{code:java}
jshell> import org.apache.commons.collections4.list.*;
jshell> final List<Object> source = new ArrayList<>();
...> final List<Object> list = SetUniqueList.setUniqueList(source);
...> list.add(list);
source ==> []
list ==> []
$6 ==> true
jshell> list.add(list);
| Exception java.lang.StackOverflowError
| at AbstractListDecorator.hashCode (AbstractListDecorator.java:75)
| at ArrayList.hashCodeRange (ArrayList.java:595)
| at ArrayList.hashCode (ArrayList.java:582)
| at AbstractListDecorator.hashCode (AbstractListDecorator.java:75)
| at ArrayList.hashCodeRange (ArrayList.java:595)
{code}
> StackOverflowError in SetUniqueList.add() when it receives itself
> -----------------------------------------------------------------
>
> Key: COLLECTIONS-701
> URL: https://issues.apache.org/jira/browse/COLLECTIONS-701
> Project: Commons Collections
> Issue Type: Bug
> Components: Collection
> Affects Versions: 3.2.2
> Reporter: Shin Hong
> Priority: Critical
> Fix For: 4.3
>
>
> Hi.
> We found that the following test case fails with a StackOverFlowError
> exception:
> {code:java}
> test() {
> SetUniqueList l = new SetUniqueList(new LinkedList<Object>()) ;
> l.add((Object) l) ;
> }{code}
> The add() execution traps into an infinite recursion which crashes the
> program.
> From the stack trace, we found that the infinite recursion occurs
> at AbstractList.hashCode() since it invokes hashCode() of each of its
> elements.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
