Rohan Padhye created BCEL-309:
---------------------------------
Summary: NegativeArraySizeException when Code attribute length is
negative
Key: BCEL-309
URL: https://issues.apache.org/jira/browse/BCEL-309
Project: Commons BCEL
Issue Type: Bug
Components: Parser
Affects Versions: 6.2
Reporter: Rohan Padhye
Attachments: Hello.class
Class parser throws an undocumented NegativeArraySizeException when parsing a
malformed class file.
h1. Steps to reproduce:
Attempt to parse the attached file "Hello.class" using the API
org.apache.bcel.classfile.ClassParser.parse(java.io.InputStream)
The file Hello.class was generated automatically by the fuzzer JQF
([https://github.com/rohanpadhye/jqf]).
h2. Expected output:
ClassFormatException should be thrown as the class file is malformed.
h2. Observed output:
Undocumented run-time exception is thrown:
java.lang.NegativeArraySizeException
at org.apache.bcel.classfile.Code.<init>(Code.java:75)
at org.apache.bcel.classfile.Attribute.readAttribute(Attribute.java:220)
at org.apache.bcel.classfile.FieldOrMethod.<init>(FieldOrMethod.java:109)
at org.apache.bcel.classfile.Method.<init>(Method.java:82)
at org.apache.bcel.classfile.ClassParser.readMethods(ClassParser.java:294)
at org.apache.bcel.classfile.ClassParser.parse(ClassParser.java:153)
This is probably because the length of the Code attribute in a method is read
as a 4-byte signed integer, an an array of that size is allocated without
checking to see if the integer is negative.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
