Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
0.5
-
None
-
Java 1.6, Mac OSX 10.6.8 64-bit
-
Patch Available
Description
I have a Thrift struct T which declares a binary field f3 after two other fields f1 and f2. After successful deserialization of a T instance, f3 references a ByteBuffer which wraps the raw byte[] containing all T instance data and has position and limit set to scope reads to valid f3 bytes. This is great because it means less copying of raw byte[] data.
However, TBaseHelper.toString(ByteBuffer bb, StringBuilder sb) uses Buffer.array() and Buffer.arrayOffset() to read f3 data, causing it to append bytes to sb which lie outside f3's valid range in the backing byte[].
It seems like this logic is also present in latest version of TBaseHelper: http://svn.apache.org/viewvc/thrift/trunk/lib/java/src/org/apache/thrift/TBaseHelper.java?revision=1038833&view=markup#l223