DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=14760>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=14760 Array overflow exception in InternalOutputBuffer Summary: Array overflow exception in InternalOutputBuffer Product: Tomcat 4 Version: 4.1.12 Platform: Sun OS/Version: Solaris Status: UNCONFIRMED Severity: Major Priority: Other Component: Connector:Coyote HTTP/1.1 AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] Overview: Variable 'buf' in org.apache.coyote.http11.InternalOutputBuffer can overflow in the write method. Steps to Reproduce: Unsure, appears eventually under medium load on our web-app. Continually hitting tomcat with requests which produce a lot of output data will eventually trigger it. Notes: I added some extra logging into InternalOutputBuffer to see what the contents of the 'buf' array were and at the point it overflows it appears to have multiple sets of response headers as below: --- snip --- HTTP/1.1 200 OK Content-Type: text/html;charset=ISO-8859-1 Cache-Control: no-cache, post-check=0, pre-check=0 Pragma: no-cache Expires: Thu, 01 Dec 1994 16:00:00 GMT Transfer-Encoding: chunked Date: Thu, 21 Nov 2002 12:02:39 GMT Server: Apache Coyote/1.0 HTTP/1.1 200 OK Content-Type: text/html;charset=ISO-8859-1 Cache-Control: no-cache, post-check=0, pre-check=0 Pragma: no-cache Expires: Thu, 01 Dec 1994 16:00:00 GMT Transfer-Encoding: chunked Date: Thu, 21 Nov 2002 12:02:39 GMT Server: Apache Coyote/1.0 Transfer-Encoding: chunked Date: Thu, 21 Nov 2002 12:02:39 GMT Server: Apache Coyote/1.0 HTTP/1.1 200 OK Content-Type: text/html;charset=ISO-8859-1 Cache-Control: no-cache, post-check=0, pre-check=0 Pragma: no-cache Expires: Thu, 01 Dec 1994 16:00:00 GMT Transfer-Encoding: chunked Date: Thu, 21 Nov 2002 12:02:39 GMT Server: Apache Coyote/1.0 Transfer-Encoding: chunked Date: Thu, 21 Nov 2002 12:02:39 GMT --- snip --- The buffer contains 32k worth of this stuff repeated at the point at which it overflows. The exception occurs due to the array index 'pos' being incremented without a range check to ensure that it's not going past the end of 'buf' but I'm assuming that the root problem is the fact that it's filling up at all rather than the lack of range checking. Stack Trace: java.lang.ArrayIndexOutOfBoundsException at org.apache.coyote.http11.InternalOutputBuffer.write(InternalOutputBuffer.java:615) at org.apache.coyote.http11.InternalOutputBuffer.sendStatus(InternalOutputBuffer.java:407) at org.apache.coyote.http11.Http11Processor.prepareResponse(Http11Processor.java:901) at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:471) at org.apache.coyote.Response.action(Response.java:214) at org.apache.coyote.http11.InternalOutputBuffer.doWrite(InternalOutputBuffer.java:516) at org.apache.coyote.Response.doWrite(Response.java:513) at org.apache.coyote.tomcat4.OutputBuffer.realWriteBytes(OutputBuffer.java:380) at org.apache.tomcat.util.buf.ByteChunk.flushBuffer(ByteChunk.java:360) at org.apache.tomcat.util.buf.ByteChunk.append(ByteChunk.java:338) at org.apache.tomcat.util.buf.IntermediateOutputStream.write(C2BConverter.java:273) at sun.nio.cs.StreamEncoder$CharsetSE.writeBytes(StreamEncoder.java:334) at sun.nio.cs.StreamEncoder$CharsetSE.implFlushBuffer(StreamEncoder.java:403) at sun.nio.cs.StreamEncoder$CharsetSE.implFlush(StreamEncoder.java:407) at sun.nio.cs.StreamEncoder.flush(StreamEncoder.java:150) at java.io.OutputStreamWriter.flush(OutputStreamWriter.java:213) at org.apache.tomcat.util.buf.WriteConvertor.flush(C2BConverter.java:222) at org.apache.tomcat.util.buf.C2BConverter.flushBuffer(C2BConverter.java:165) at org.apache.coyote.tomcat4.OutputBuffer.realWriteChars(OutputBuffer.java:576) at org.apache.tomcat.util.buf.CharChunk.flushBuffer(CharChunk.java:388) at org.apache.coyote.tomcat4.OutputBuffer.flush(OutputBuffer.java:340) at java.io.PrintWriter.flush(PrintWriter.java:120) at org.apache.coyote.tomcat4.CoyoteWriter.flush(CoyoteWriter.java:97) at org.apache.catalina.valves.ErrorReportValve.report(ErrorReportValve.java:366) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:205) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:641) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:174) at org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.invokeNext(StandardPipeline.java:643) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:405) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:380) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:508) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:533) at java.lang.Thread.run(Thread.java:536) -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
