Skip to content

Add bounds validation to ArrayUtil.growExact() and CharTermAttributeImpl.clone()#16345

Closed
vik-hashira wants to merge 3 commits into
apache:mainfrom
vik-hashira:security-fixes-ArrayUtil-CharTermAttributeImpl
Closed

Add bounds validation to ArrayUtil.growExact() and CharTermAttributeImpl.clone()#16345
vik-hashira wants to merge 3 commits into
apache:mainfrom
vik-hashira:security-fixes-ArrayUtil-CharTermAttributeImpl

Conversation

@vik-hashira

@vik-hashira vik-hashira commented Jul 2, 2026

Copy link
Copy Markdown

Fixes #16346

Summary

This PR adds bounds validation to ArrayUtil.growExact() methods and CharTermAttributeImpl.clone() to reject invalid input values with clear error messages.

Changes

ArrayUtil.growExact()

  • Added new private helper method checkGrowExactLength() for centralized validation
  • Validates newLength >= 0 (throws IllegalArgumentException)
  • Validates newLength >= array.length (throws IndexOutOfBoundsException for backward compatibility)
  • Validates newLength <= MAX_ARRAY_LENGTH (throws IllegalArgumentException)
  • Applied to all 8 growExact() method variants

CharTermAttributeImpl.clone()

  • Added validation for termLength before array allocation
  • Checks termLength >= 0 (throws IllegalStateException)
  • Checks termLength <= ArrayUtil.MAX_ARRAY_LENGTH (throws IllegalStateException)

Backward Compatibility

  • Existing valid code paths are unaffected
  • Invalid newLength values will now receive clear error messages instead of undefined behavior
  • IndexOutOfBoundsException maintained for newLength < array.length to preserve existing test expectations

Testing

  • Added testGrowExactBoundsValidation() to verify validation works correctly
  • Existing testGrowExact tests continue to pass
  • Validation prevents unexpected behavior without breaking valid use cases

Adds bounds checking to all growExact() methods to prevent:
- Negative newLength values
- newLength less than array.length (maintains backward compatibility with IndexOutOfBoundsException)
- newLength exceeding MAX_ARRAY_LENGTH

This fixes potential security issues where malicious input could
cause excessive memory allocation or undefined behavior.
@vik-hashira vik-hashira force-pushed the security-fixes-ArrayUtil-CharTermAttributeImpl branch from fa7979c to d02e3f5 Compare July 2, 2026 09:51
Adds bounds checking in clone() method to validate termLength:
- Checks termLength is not negative
- Checks termLength does not exceed MAX_ARRAY_LENGTH

This prevents potential security issues with crafted/malicious
TermBuffer values that could cause excessive memory allocation
or undefined behavior during cloning.
@vik-hashira vik-hashira force-pushed the security-fixes-ArrayUtil-CharTermAttributeImpl branch from d02e3f5 to 3c0d0e6 Compare July 2, 2026 10:05
@rmuir

rmuir commented Jul 2, 2026

Copy link
Copy Markdown
Member

not vulnerabilities

- Remove OOM-causing test that allocated MAX_ARRAY_LENGTH
- Update CHANGES.txt to reference new bug issue apache#16346
- Rephrase CHANGES.txt entry as bug fix (not security)

Co-Authored-By: Claude <noreply@anthropic.com>
@vik-hashira vik-hashira changed the title Fix security vulnerabilities in ArrayUtil.growExact() and CharTermAttributeImpl.clone() Add bounds validation to ArrayUtil.growExact() and CharTermAttributeImpl.clone() Jul 2, 2026
@vik-hashira

Copy link
Copy Markdown
Author

Thank you for the feedback! I've updated this PR to frame it as a bug fix rather than a security vulnerability:

  1. Created new issue Bug: Add bounds validation to ArrayUtil.growExact() and CharTermAttributeImpl.clone() #16346 as a bug report (the security issue Security vulnerabilities: Improper handling in ArrayUtil.grow() and CharTermAttributeImpl.clone() #16344 has been closed)
  2. Updated CHANGES.txt to reference the new bug issue and rephrase as a bug fix
  3. Fixed the failing test that was attempting to allocate MAX_ARRAY_LENGTH (causing OOM)

The validation changes remain the same - they add proper bounds checking with clear error messages for invalid input values. This improves robustness and provides better error messages for edge cases.

throw new IllegalStateException(
"termLength (" + this.termLength + ") exceeds maximum allowed array length");
}
t.termBuffer = new char[this.termLength];

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this isn't needed. java's bounds checking already does this.

@rmuir

rmuir commented Jul 2, 2026

Copy link
Copy Markdown
Member

i dont agree with the changes, we don't need such additional bounds checks, java already has them. this isn't C.

@vik-hashira

Copy link
Copy Markdown
Author

Thank you for the feedback @rmuir. You're right - Java already provides bounds checking for array operations, and these additional checks are redundant. I appreciate you taking the time to review this.

Closing this PR as the changes are not needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Bug: Add bounds validation to ArrayUtil.growExact() and CharTermAttributeImpl.clone()

2 participants