In the entitizeContent routine in Saver.java there is a loop responsible for modifying bad characters and the ">" in "]]>" when surrounding the text with "<![CDATA[" and "]]>". The loop iterates _lastEmitCch times, but the first two characters of the text have already been processed.
This causes problems in one of two rare scenarios:
The last character in _buf is a ']' and the next two unused characters are ']' and '>' respectively
The last two characters in _buf are both ']' and the next unused character is a '>'
In these instances replace invokes System.arraycopy with invalid parameters as i is outside of the normal _out/_in range resulting in an ArrayIndexOutOfBoundsException or an assertion error is they are enabled.
In addition, the first two characters are not checked against isBadChar as they're processed outside of this loop.
I believe that a quick and dirty fix for the ArrayIndexOutOfBoundsException (but not isBadChar) would be to change this particular loop from:
for ( int cch = _lastEmitCch ; cch > 0 ; cch-- )
for ( int cch = _lastEmitCch ; cch > 2; cch-- )
We don't get the isBadChar problem, so I would be grateful if you could confirm the quick and dirty fix above fixes the ArrayIndexOutOfBoundsException as I'd like to patch our production system.