https://issues.apache.org/bugzilla/show_bug.cgi?id=46354
--- Comment #4 from Konstantin Kolinko <knst.koli...@gmail.com> 2009-01-03
16:14:26 PST ---
This is caused by bug in implementation of
o.a.jasper.runtime.BodyContentImpl#setWriter(Writer)
in current tc6.0.x and tc5.5.x code (and thus in TC 6.0.18, TC 5.5.27).
That method is called by PageContextImpl#pushBody(Writer) and is the one that
prepares the bodycontent instance for reuse.
The current code, with comments omitted, is the following:
558: void setWriter(Writer writer) {
559: this.writer = writer;
560: closed = false;
561: if (writer != null) {
571: if (bufferSize != 0) {
572: bufferSizeSave = bufferSize;
573: bufferSize = 0;
574: }
575: } else {
576: bufferSize = bufferSizeSave;
577: clearBody();
578: }
579: }
The unconditional assignment on line 576 is wrong.
Consider the following sequence of events:
1. setWriter(null)
bufferSize = bufferSizeSave is assigned 0 // <- this is wrong (1)
2. write more than 512 bytes of data
bufferSize becomes > 512
3. setWriter(writer)
bufferSizeSave = bufferSize is assigned value that is > 512
4. setWriter(null)
bufferSize = bufferSizeSave is > 512
BodyContentImpl#clear() is called and shrinks the buffer to its default size
of 512, bufferSize becomes 512
5. write several bytes of data
6. setWriter(null)
bufferSize = bufferSizeSave is > 512 // <- this is wrong (2)
7. write more than 512 bytes of data
At this point the ArrayIndexOutOfBoundsException should occur, because
bufferSize is > 512, but the buffer is only 512 bytes.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
