Uploaded image for project: 'Commons BCEL'
  1. Commons BCEL
  2. BCEL-309

NegativeArraySizeException when Code attribute length is negative

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 6.2
    • None
    • Parser
    • None

    Description

      Class parser throws an undocumented NegativeArraySizeException when parsing a malformed class file.

      Steps to reproduce:

       

       

      Attempt to parse the attached file "Hello.class" using the API

      org.apache.bcel.classfile.ClassParser.parse(java.io.InputStream)

       

      The file Hello.class was generated automatically by the fuzzer JQF (https://github.com/rohanpadhye/jqf).

      Expected output:

      ClassFormatException should be thrown as the class file is malformed.

      Observed output:

      Undocumented run-time exception is thrown:

      java.lang.NegativeArraySizeException

      at org.apache.bcel.classfile.Code.<init>(Code.java:75)

      at org.apache.bcel.classfile.Attribute.readAttribute(Attribute.java:220)

      at org.apache.bcel.classfile.FieldOrMethod.<init>(FieldOrMethod.java:109)

      at org.apache.bcel.classfile.Method.<init>(Method.java:82)

      at org.apache.bcel.classfile.ClassParser.readMethods(ClassParser.java:294)

      at org.apache.bcel.classfile.ClassParser.parse(ClassParser.java:153)

       

       

      This is probably because the length of the Code attribute in a method is read as a 4-byte signed integer, an an array of that size is allocated without checking to see if the integer is negative.

       

       

      Attachments

        1. Hello.class
          1.0 kB
          Rohan Padhye

        Activity

          People

            Unassigned Unassigned
            rohanpadhye Rohan Padhye
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated: