Author: remy.maucherat(a)jboss.com Date: 2014-05-28 03:21:40 -0400 (Wed, 28 May 2014) New Revision: 2426 Modified: branches/7.4.x/src/main/java/org/apache/tomcat/util/buf/Ascii.java Log: Port patch for CVE-2014-0099: Fix possible overflow when parsing long values from a byte array. Modified: branches/7.4.x/src/main/java/org/apache/tomcat/util/buf/Ascii.java =================================================================== --- branches/7.4.x/src/main/java/org/apache/tomcat/util/buf/Ascii.java 2014-05-27 07:33:58 UTC (rev 2425) +++ branches/7.4.x/src/main/java/org/apache/tomcat/util/buf/Ascii.java 2014-05-28 07:21:40 UTC (rev 2426) @@ -41,6 +41,8 @@ private static final boolean[] isWhite = new boolean[256]; private static final boolean[] isDigit = new boolean[256]; + private static final long OVERFLOW_LIMIT = Long.MAX_VALUE / 10; + /* * Initialize character translation and type tables. */ @@ -187,8 +189,7 @@ * @exception NumberFormatException if the long format was invalid */ public static long parseLong(byte[] b, int off, int len) - throws NumberFormatException - { + throws NumberFormatException { int c; if (b == null || len <= 0 || !isDigit(c = b[off++])) { @@ -196,20 +197,13 @@ } long n = c - '0'; - long m; - while (--len > 0) { - if (!isDigit(c = b[off++])) { + if (isDigit(c = b[off++]) + && (n < OVERFLOW_LIMIT || (n == OVERFLOW_LIMIT && (c - '0') < 8))) { + n = n * 10 + c - '0'; + } else { throw new NumberFormatException(); } - m = n * 10 + c - '0'; - - if (m < n) { - // Overflow - throw new NumberFormatException(); - } else { - n = m; - } } return n;