Author: bmaxwell Date: 2012-02-23 18:13:19 -0500 (Thu, 23 Feb 2012) New Revision: 1977 Modified: branches/JBOSSWEB_2_0_0_GA_CP16_JBPAPP-8221/src/share/classes/org/apache/tomcat/util/http/Parameters.java Log: [JBPAPP-8221] CVE-2012-0022 fix Modified: branches/JBOSSWEB_2_0_0_GA_CP16_JBPAPP-8221/src/share/classes/org/apache/tomcat/util/http/Parameters.java =================================================================== --- branches/JBOSSWEB_2_0_0_GA_CP16_JBPAPP-8221/src/share/classes/org/apache/tomcat/util/http/Parameters.java 2012-02-23 22:41:09 UTC (rev 1976) +++ branches/JBOSSWEB_2_0_0_GA_CP16_JBPAPP-8221/src/share/classes/org/apache/tomcat/util/http/Parameters.java 2012-02-23 23:13:19 UTC (rev 1977) @@ -314,6 +314,8 @@ if (paramHashStringArray.containsKey(key)) { String oldValues[] = (String[])paramHashStringArray. get(key); + if (oldValues.length >=MAX_COUNT) + throw new IllegalStateException("Parameter values exceeded allowed maximum: " + MAX_COUNT); values = new String[oldValues.length + 1]; for (int i = 0; i < oldValues.length; i++) { values[i] = oldValues[i];