I see. Thank you! -- Oswaldo. On Wed, Mar 4, 2015 at 4:21 PM, Caldarale, Charles R < chuck.caldar...@unisys.com> wrote:
> > From: Oswaldo Olivo [mailto:ozzy...@gmail.com] > > Subject: Potential IndexOutBounds in > AbstractServletInputStream::readLine() ? > > > I was wondering if there is an unintentional potential index of out > bounds > > exception in AbstractServletInputStream::readLine() ? > > It's not unintentional. > > > It seems that "len" is partially sanitized, but the offset parameter > 'off' > > is not. > > As the spec requires. > > > In particular, 'off' could be allowed to be outside of 'buf', causing an > > exception while executing the statement b[off++]=(byte)c; > > Which is an error by the caller, resulting in an exception. > > > One could change the loop condition to something like > > "((c=readInternal())!= -1 && 0<=off && off<b.length)" > > For what purpose? The return value of -1 specifically means there is no > more data to be read. > > > I believe that the implementation of readLine() in > javax.ServletInputStream > > handles these border cases by returning -1 whenver an access outside of > the > > array is attempted, so it doesn't suffer from this problem. > > Presumably you meant javax.servlet.ServletInputStream, not what you > wrote. The readLine() implementation for that class certainly does not do > what you describe, nor should it. Read the servlet spec and JavaDoc. > > > Is this an issue that needs to be changed or is it the intended behavior > to > > leave the responsibility of sanitizing the parameters to the caller ? > > Nothing in the spec indicates that the current behavior is inappropriate. > > - Chuck > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is thus for use only by the intended recipient. If you > received this in error, please contact the sender and delete the e-mail and > its attachments from all computers. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
