Author: aogburn Date: 2014-07-23 16:38:09 -0400 (Wed, 23 Jul 2014) New Revision: 2482 Modified: branches/2.1.x/java/org/apache/tomcat/util/buf/Ascii.java Log: CVE-2014-0099 backport Modified: branches/2.1.x/java/org/apache/tomcat/util/buf/Ascii.java =================================================================== --- branches/2.1.x/java/org/apache/tomcat/util/buf/Ascii.java 2014-07-23 20:31:43 UTC (rev 2481) +++ branches/2.1.x/java/org/apache/tomcat/util/buf/Ascii.java 2014-07-23 20:38:09 UTC (rev 2482) @@ -41,6 +41,8 @@ private static final boolean[] isWhite = new boolean[256]; private static final boolean[] isDigit = new boolean[256]; + private static final long OVERFLOW_LIMIT = Long.MAX_VALUE / 10; + /* * Initialize character translation and type tables. */ @@ -187,8 +189,7 @@ * @exception NumberFormatException if the long format was invalid */ public static long parseLong(byte[] b, int off, int len) - throws NumberFormatException - { + throws NumberFormatException { int c; if (b == null || len <= 0 || !isDigit(c = b[off++])) { @@ -196,20 +197,13 @@ } long n = c - '0'; - long m; - while (--len > 0) { - if (!isDigit(c = b[off++])) { + if (isDigit(c = b[off++]) + && (n < OVERFLOW_LIMIT || (n == OVERFLOW_LIMIT && (c - '0') < 8))) { + n = n * 10 + c - '0'; + } else { throw new NumberFormatException(); } - m = n * 10 + c - '0'; - - if (m < n) { - // Overflow - throw new NumberFormatException(); - } else { - n = m; - } } return n; Property changes on: branches/2.1.x/java/org/apache/tomcat/util/buf/Ascii.java ___________________________________________________________________ Added: svn:mergeinfo + /branches/7.4.x/src/main/java/org/apache/tomcat/util/buf/Ascii.java:2426