[Sablevm-bugs] [ sablevm-Bugs-677672 ] VM does not check for array alloc overflow
Brought to you by:
egagnon
Menu
▾
▴
[Sablevm-bugs] [ sablevm-Bugs-677672 ] VM does not check for array alloc overflow
|
From: SourceForge.net <no...@so...> - 2004-07-03 13:30:56
|
Bugs item #677672, was opened at 2003-01-30 14:17 Message generated for change (Comment added) made by egagnon You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=105523&aid=677672&group_id=5523 Category: None Group: None >Status: Closed Resolution: None Priority: 5 Submitted By: Archie Cobbs (archiecobbs) Assigned to: Nobody/Anonymous (nobody) Summary: VM does not check for array alloc overflow Initial Comment: Here is the bug: $ cat ArrayOverflow.java public class ArrayOverflow { public static void main(String[] args) { double[] array = new double[0x20000000]; array[0x1000000] = 1.0; } } $ sablevm ArrayOverflow sablevm: INTERNAL ERROR (source file "error.c", line 86): unexpected segmentation fault Abort(core dumped) The problem is that when allocating the array, SableVM does not check for 32 bit overflow. In this example, the array length fits within 32 bits but the array length multiplied by the size of each array element does not. As a result, the total size overflows (to zero!) and a zero length array is allocated. SableVM should verify that the total array size does not overflow a "size_t" variable (SIZE_T_MAX). ---------------------------------------------------------------------- Comment By: Etienne M. Gagnon (egagnon) Date: 2004-07-03 09:30 Message: Logged In: YES user_id=15365 This bug has been moved to the new SableVM Bug Trackiong System. Please visit: http://sablevm.org/bugs ---------------------------------------------------------------------- Comment By: Archie Cobbs (archiecobbs) Date: 2003-03-03 12:32 Message: Logged In: YES user_id=99943 System.arraycopy() has a similar bug. I suspect there are other places where array bounds don't check that off + length > 0. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=105523&aid=677672&group_id=5523 |