Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
Java 2.1.4
-
None
Description
Hi Santuario Team,
I have encountered what I believe is an infinite loop in WeakHashMap.get() caused by non-synchronized access of the WeakHashMap cache in org.apache.xml.security.stax.impl.transformer.canonicalizer.CanonicalizerBase.
WeakHashMap, not being thread-safe, can cause threads spinning in infinite loops if accessed concurrently.
Observed multiple threads with identical stacktraces:
Thread 36 (Daemon): RoutingHandler Type: java.lang.Thread Group: main <- system State: RUNNABLE CPU: 1% Details: Thread Pool: WorkerThreads:SYSTEM Current State: Running State Duration: 01h 34m 41s 941ms Stack Trace: java.util.WeakHashMap.put(WeakHashMap.java:453) org.apache.xml.security.c14n.implementations.UtfHelpper.writeByte(UtfHelpper.java:51) org.apache.xml.security.stax.impl.transformer.canonicalizer.CanonicalizerBase.outputAttrToWriter(CanonicalizerBase.java:408) org.apache.xml.security.stax.impl.transformer.canonicalizer.CanonicalizerBase.transform(CanonicalizerBase.java:303) org.apache.xml.security.stax.impl.transformer.TransformIdentity$2.transform(TransformIdentity.java:132) org.apache.xml.security.stax.impl.transformer.TransformIdentity.transform(TransformIdentity.java:174) org.apache.xml.security.stax.impl.transformer.TransformEnvelopedSignature.transform(TransformEnvelopedSignature.java:69) org.apache.xml.security.stax.impl.processor.input.AbstractSignatureReferenceVerifyInputProcessor$InternalSignatureReferenceVerifier.processEvent(AbstractSignatureReferenceVerifyInputProcessor.java:443) org.apache.xml.security.stax.impl.processor.input.AbstractSignatureReferenceVerifyInputProcessor$InternalSignatureReferenceVerifier.processNextEvent(AbstractSignatureReferenceVerifyInputProcessor.java:436) org.apache.xml.security.stax.impl.InputProcessorChainImpl.processEvent(InputProcessorChainImpl.java:188) org.apache.xml.security.stax.impl.processor.input.XMLSecurityInputProcessor.processNextEvent(XMLSecurityInputProcessor.java:76) org.apache.xml.security.stax.impl.InputProcessorChainImpl.processEvent(InputProcessorChainImpl.java:188) org.apache.xml.security.stax.impl.XMLSecurityStreamReader.next(XMLSecurityStreamReader.java:76) ... removed non-santuario stack frames