VYPR
← All advisories
Moderate severityNVD Advisory· Published Oct 16, 2013· Updated Apr 29, 2026

CVE-2013-5823

CVE-2013-5823

Description

Unspecified vulnerability in Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, and Java SE Embedded 7u40 and earlier allows remote attackers to affect availability via unknown vectors related to Security.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.santuario:xmlsecMaven
>= 1.4.0, < 1.4.81.4.8
org.apache.santuario:xmlsecMaven
>= 1.5.0, < 1.5.31.5.3

Affected products

169
  • Oracle Corporation/Jdk38 versions
    cpe:2.3:a:oracle:jdk:1.6.0:update22:*:*:*:*:*:*+ 37 more
    • cpe:2.3:a:oracle:jdk:1.6.0:update22:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdk:1.6.0:update23:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdk:1.6.0:update24:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdk:1.6.0:update25:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdk:1.6.0:update26:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdk:1.6.0:update27:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdk:1.6.0:update29:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdk:1.6.0:update30:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdk:1.6.0:update31:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdk:1.6.0:update32:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdk:1.6.0:update33:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdk:1.6.0:update34:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdk:1.6.0:update35:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdk:1.6.0:update37:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdk:1.6.0:update38:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdk:1.6.0:update39:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdk:1.6.0:update41:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdk:1.6.0:update43:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdk:1.6.0:update45:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdk:1.6.0:update51:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdk:1.7.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdk:1.7.0:update1:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdk:1.7.0:update10:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdk:1.7.0:update11:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdk:1.7.0:update13:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdk:1.7.0:update15:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdk:1.7.0:update17:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdk:1.7.0:update2:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdk:1.7.0:update21:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdk:1.7.0:update25:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdk:1.7.0:update3:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdk:1.7.0:update4:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdk:1.7.0:update5:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdk:1.7.0:update6:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdk:1.7.0:update7:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdk:1.7.0:update9:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jdk:*:update40:*:*:*:*:*:*range: <=1.7.0
    • cpe:2.3:a:oracle:jdk:*:update60:*:*:*:*:*:*range: <=1.6.0
  • Oracle Corporation/Jre38 versions
    cpe:2.3:a:oracle:jre:1.6.0:update22:*:*:*:*:*:*+ 37 more
    • cpe:2.3:a:oracle:jre:1.6.0:update22:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jre:1.6.0:update23:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jre:1.6.0:update24:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jre:1.6.0:update25:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jre:1.6.0:update26:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jre:1.6.0:update27:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jre:1.6.0:update29:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jre:1.6.0:update30:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jre:1.6.0:update31:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jre:1.6.0:update32:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jre:1.6.0:update33:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jre:1.6.0:update34:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jre:1.6.0:update35:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jre:1.6.0:update37:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jre:1.6.0:update38:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jre:1.6.0:update39:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jre:1.6.0:update41:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jre:1.6.0:update43:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jre:1.6.0:update45:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jre:1.6.0:update51:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jre:1.7.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jre:1.7.0:update1:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jre:1.7.0:update10:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jre:1.7.0:update11:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jre:1.7.0:update13:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jre:1.7.0:update15:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jre:1.7.0:update17:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jre:1.7.0:update2:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jre:1.7.0:update21:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jre:1.7.0:update25:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jre:1.7.0:update3:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jre:1.7.0:update4:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jre:1.7.0:update5:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jre:1.7.0:update6:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jre:1.7.0:update7:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jre:1.7.0:update9:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jre:*:update40:*:*:*:*:*:*range: <=1.7.0
    • cpe:2.3:a:oracle:jre:*:update60:*:*:*:*:*:*range: <=1.6.0
  • Oracle Corporation/Jrockit19 versions
    cpe:2.3:a:oracle:jrockit:*:*:*:*:*:*:*:*+ 18 more
    • cpe:2.3:a:oracle:jrockit:*:*:*:*:*:*:*:*range: <=r27.7.6
    • cpe:2.3:a:oracle:jrockit:r27.7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jrockit:r27.7.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jrockit:r27.7.3:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jrockit:r27.7.4:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jrockit:r27.7.5:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jrockit:r28.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jrockit:r28.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jrockit:r28.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jrockit:r28.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jrockit:r28.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jrockit:r28.1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jrockit:r28.1.4:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jrockit:r28.1.5:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jrockit:r28.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jrockit:r28.2.3:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jrockit:r28.2.4:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jrockit:r28.2.5:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:jrockit:r28.2.6:*:*:*:*:*:*:*
  • Sun Corporation/Jdk21 versions
    cpe:2.3:a:sun:jdk:1.6.0:*:*:*:*:*:*:*+ 20 more
    • cpe:2.3:a:sun:jdk:1.6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:sun:jdk:1.6.0:update1:*:*:*:*:*:*
    • cpe:2.3:a:sun:jdk:1.6.0:update_10:*:*:*:*:*:*
    • cpe:2.3:a:sun:jdk:1.6.0:update_11:*:*:*:*:*:*
    • cpe:2.3:a:sun:jdk:1.6.0:update_12:*:*:*:*:*:*
    • cpe:2.3:a:sun:jdk:1.6.0:update_13:*:*:*:*:*:*
    • cpe:2.3:a:sun:jdk:1.6.0:update_14:*:*:*:*:*:*
    • cpe:2.3:a:sun:jdk:1.6.0:update_15:*:*:*:*:*:*
    • cpe:2.3:a:sun:jdk:1.6.0:update_16:*:*:*:*:*:*
    • cpe:2.3:a:sun:jdk:1.6.0:update_17:*:*:*:*:*:*
    • cpe:2.3:a:sun:jdk:1.6.0:update_18:*:*:*:*:*:*
    • cpe:2.3:a:sun:jdk:1.6.0:update_19:*:*:*:*:*:*
    • cpe:2.3:a:sun:jdk:1.6.0:update1_b06:*:*:*:*:*:*
    • cpe:2.3:a:sun:jdk:1.6.0:update2:*:*:*:*:*:*
    • cpe:2.3:a:sun:jdk:1.6.0:update_20:*:*:*:*:*:*
    • cpe:2.3:a:sun:jdk:1.6.0:update_21:*:*:*:*:*:*
    • cpe:2.3:a:sun:jdk:1.6.0:update_3:*:*:*:*:*:*
    • cpe:2.3:a:sun:jdk:1.6.0:update_4:*:*:*:*:*:*
    • cpe:2.3:a:sun:jdk:1.6.0:update_5:*:*:*:*:*:*
    • cpe:2.3:a:sun:jdk:1.6.0:update_6:*:*:*:*:*:*
    • cpe:2.3:a:sun:jdk:1.6.0:update_7:*:*:*:*:*:*
  • Sun Corporation/Jre21 versions
    cpe:2.3:a:sun:jre:1.6.0:*:*:*:*:*:*:*+ 20 more
    • cpe:2.3:a:sun:jre:1.6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:sun:jre:1.6.0:update_1:*:*:*:*:*:*
    • cpe:2.3:a:sun:jre:1.6.0:update_10:*:*:*:*:*:*
    • cpe:2.3:a:sun:jre:1.6.0:update_11:*:*:*:*:*:*
    • cpe:2.3:a:sun:jre:1.6.0:update_12:*:*:*:*:*:*
    • cpe:2.3:a:sun:jre:1.6.0:update_13:*:*:*:*:*:*
    • cpe:2.3:a:sun:jre:1.6.0:update_14:*:*:*:*:*:*
    • cpe:2.3:a:sun:jre:1.6.0:update_15:*:*:*:*:*:*
    • cpe:2.3:a:sun:jre:1.6.0:update_16:*:*:*:*:*:*
    • cpe:2.3:a:sun:jre:1.6.0:update_17:*:*:*:*:*:*
    • cpe:2.3:a:sun:jre:1.6.0:update_18:*:*:*:*:*:*
    • cpe:2.3:a:sun:jre:1.6.0:update_19:*:*:*:*:*:*
    • cpe:2.3:a:sun:jre:1.6.0:update_2:*:*:*:*:*:*
    • cpe:2.3:a:sun:jre:1.6.0:update_20:*:*:*:*:*:*
    • cpe:2.3:a:sun:jre:1.6.0:update_21:*:*:*:*:*:*
    • cpe:2.3:a:sun:jre:1.6.0:update_3:*:*:*:*:*:*
    • cpe:2.3:a:sun:jre:1.6.0:update_4:*:*:*:*:*:*
    • cpe:2.3:a:sun:jre:1.6.0:update_5:*:*:*:*:*:*
    • cpe:2.3:a:sun:jre:1.6.0:update_6:*:*:*:*:*:*
    • cpe:2.3:a:sun:jre:1.6.0:update_7:*:*:*:*:*:*
    • cpe:2.3:a:sun:jre:1.6.0:update_9:*:*:*:*:*:*
  • osv-coords32 versions
    pkg:apk/chainguard/openjdk-11-openj9pkg:apk/chainguard/openjdk-11-openj9-dbgpkg:apk/chainguard/openjdk-11-openj9-default-jdkpkg:apk/chainguard/openjdk-11-openj9-default-jvmpkg:apk/chainguard/openjdk-11-openj9-default-policypkg:apk/chainguard/openjdk-11-openj9-docpkg:apk/chainguard/openjdk-11-openj9-jmodspkg:apk/chainguard/openjdk-11-openj9-jrepkg:apk/chainguard/openjdk-17-openj9pkg:apk/chainguard/openjdk-17-openj9-dbgpkg:apk/chainguard/openjdk-17-openj9-default-jdkpkg:apk/chainguard/openjdk-17-openj9-default-jvmpkg:apk/chainguard/openjdk-17-openj9-default-policypkg:apk/chainguard/openjdk-17-openj9-docpkg:apk/chainguard/openjdk-17-openj9-jmodspkg:apk/chainguard/openjdk-17-openj9-jrepkg:apk/chainguard/openjdk-21-openj9pkg:apk/chainguard/openjdk-21-openj9-dbgpkg:apk/chainguard/openjdk-21-openj9-default-jdkpkg:apk/chainguard/openjdk-21-openj9-default-jvmpkg:apk/chainguard/openjdk-21-openj9-default-policypkg:apk/chainguard/openjdk-21-openj9-docpkg:apk/chainguard/openjdk-21-openj9-jmodspkg:apk/chainguard/openjdk-21-openj9-jrepkg:apk/chainguard/openjdk-8-openj9pkg:apk/chainguard/openjdk-8-openj9-dbgpkg:apk/chainguard/openjdk-8-openj9-default-jdkpkg:apk/chainguard/openjdk-8-openj9-default-jvmpkg:apk/chainguard/openjdk-8-openj9-docpkg:apk/chainguard/openjdk-8-openj9-jrepkg:maven/org.apache.santuario/xmlsecpkg:rpm/opensuse/java-1_7_0-openjdk&distro=openSUSE%20Tumbleweed
    < 0.53.0-r0+ 31 more
    • (no CPE)range: < 0.53.0-r0
    • (no CPE)range: < 0.53.0-r0
    • (no CPE)range: < 0.53.0-r0
    • (no CPE)range: < 0.53.0-r0
    • (no CPE)range: < 0.53.0-r0
    • (no CPE)range: < 0.53.0-r0
    • (no CPE)range: < 0.53.0-r0
    • (no CPE)range: < 0.53.0-r0
    • (no CPE)range: < 0.53.0-r0
    • (no CPE)range: < 0.53.0-r0
    • (no CPE)range: < 0.53.0-r0
    • (no CPE)range: < 0.53.0-r0
    • (no CPE)range: < 0.53.0-r0
    • (no CPE)range: < 0.53.0-r0
    • (no CPE)range: < 0.53.0-r0
    • (no CPE)range: < 0.53.0-r0
    • (no CPE)range: < 0.48.0-r2
    • (no CPE)range: < 0.48.0-r2
    • (no CPE)range: < 0.48.0-r2
    • (no CPE)range: < 0.48.0-r2
    • (no CPE)range: < 0.48.0-r2
    • (no CPE)range: < 0.48.0-r2
    • (no CPE)range: < 0.48.0-r2
    • (no CPE)range: < 0.48.0-r2
    • (no CPE)range: < 0.53.0-r1
    • (no CPE)range: < 0.53.0-r1
    • (no CPE)range: < 0.53.0-r1
    • (no CPE)range: < 0.53.0-r1
    • (no CPE)range: < 0.53.0-r1
    • (no CPE)range: < 0.53.0-r1
    • (no CPE)range: >= 1.4.0, < 1.4.8
    • (no CPE)range: < 1.7.0.121-1.1

Patches

3
55a48497dfbf

[SANTUARIO-334] - UnsyncByteArrayOutputStream hangs on messages larger 512 MB

https://github.com/apache/santuario-javaColm O HeigeartaighJul 31, 2012via ghsa
commit
2 files changed · +54 37
  • CHANGELOG.txt+1 0 modified
    @@ -1,6 +1,7 @@
 Changelog for "Apache xml-security" <http://santuario.apache.org/>
 
 New in v.1.4.8-SNAPSHOT:
+    Fixed SANTUARIO-334 - UnsyncByteArrayOutputStream hangs on messages larger 512 MB.
 
 New in v.1.4.7:
     Fixed SANTUARIO-306 - KeySelectors loop
  • src/org/apache/xml/security/utils/UnsyncByteArrayOutputStream.java+53 37 modified
    @@ -1,21 +1,24 @@
-/*
- * Copyright 1999-2010 The Apache Software Foundation.
- *
- *  Licensed under the Apache License, Version 2.0 (the "License");
- *  you may not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
  *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS,
- *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ * http://www.apache.org/licenses/LICENSE-2.0
  *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
  */
 package org.apache.xml.security.utils;
 
+import java.io.IOException;
 import java.io.OutputStream;
 
 /**
@@ -37,49 +40,62 @@ protected synchronized Object initialValue() {
     private int pos = 0;
 
     public UnsyncByteArrayOutputStream() {
-	buf = (byte[])bufCache.get();
+        buf = (byte[])bufCache.get();
     }
 
     public void write(byte[] arg0) {
-	int newPos = pos + arg0.length;
-	if (newPos > size) {
-	    expandSize(newPos);
-	}
-	System.arraycopy(arg0, 0, buf, pos, arg0.length);
-	pos = newPos;
+        if ((Integer.MAX_VALUE - pos) < arg0.length) {
+            throw new OutOfMemoryError();
+        }
+        int newPos = pos + arg0.length;
+        if (newPos > size) {
+            expandSize(newPos);
+        }
+        System.arraycopy(arg0, 0, buf, pos, arg0.length);
+        pos = newPos;
     }
 
     public void write(byte[] arg0, int arg1, int arg2) {
-	int newPos = pos + arg2;
-	if (newPos > size) {
-	    expandSize(newPos);
-	}
-	System.arraycopy(arg0, arg1, buf, pos, arg2);
-	pos = newPos;
+        if ((Integer.MAX_VALUE - pos) < arg2) {
+            throw new OutOfMemoryError();
+        }
+        int newPos = pos + arg2;
+        if (newPos > size) {
+            expandSize(newPos);
+        }
+        System.arraycopy(arg0, arg1, buf, pos, arg2);
+        pos = newPos;
     }
 
-    public void write(int arg0) {		
+    public void write(int arg0) {
+        if ((Integer.MAX_VALUE - pos) == 0) {
+            throw new OutOfMemoryError();
+        }
         int newPos = pos + 1;
-	if (newPos > size) {
-	    expandSize(newPos);
-	}
-	buf[pos++] = (byte)arg0;		
+        if (newPos > size) {
+            expandSize(newPos);
+        }
+        buf[pos++] = (byte)arg0;		
     }
 
     public byte[] toByteArray() {
-	byte result[] = new byte[pos];
-	System.arraycopy(buf, 0, result, 0, pos);
-	return result;
+        byte result[] = new byte[pos];
+        System.arraycopy(buf, 0, result, 0, pos);
+        return result;
     }
 
     public void reset() {
-	pos = 0;
+        pos = 0;
     }
-	
+    
     private void expandSize(int newPos) {
         int newSize = size;
         while (newPos > newSize) {
-            newSize = newSize<<2;
+            newSize = newSize << 1;
+            // Deal with overflow
+            if (newSize < 0) {
+                newSize = Integer.MAX_VALUE;
+            }
         }
         byte newBuf[] = new byte[newSize];
         System.arraycopy(buf, 0, newBuf, 0, pos);
f9a61f2df947

[SANTUARIO-334] - UnsyncByteArrayOutputStream hangs on messages larger 512 MB

https://github.com/apache/santuario-javaColm O HeigeartaighJul 31, 2012via ghsa
commit
1 file changed · +15 2
  • src/main/java/org/apache/xml/security/utils/UnsyncByteArrayOutputStream.java+15 2 modified
    @@ -45,6 +45,9 @@ public UnsyncByteArrayOutputStream() {
     }
 
     public void write(byte[] arg0) {
+        if ((Integer.MAX_VALUE - pos) < arg0.length) {
+            throw new OutOfMemoryError();
+        }
         int newPos = pos + arg0.length;
         if (newPos > size) {
             expandSize(newPos);
@@ -54,6 +57,9 @@ public void write(byte[] arg0) {
     }
 
     public void write(byte[] arg0, int arg1, int arg2) {
+        if ((Integer.MAX_VALUE - pos) < arg2) {
+            throw new OutOfMemoryError();
+        }
         int newPos = pos + arg2;
         if (newPos > size) {
             expandSize(newPos);
@@ -62,7 +68,10 @@ public void write(byte[] arg0, int arg1, int arg2) {
         pos = newPos;
     }
 
-    public void write(int arg0) {		
+    public void write(int arg0) {
+        if ((Integer.MAX_VALUE - pos) == 0) {
+            throw new OutOfMemoryError();
+        }
         int newPos = pos + 1;
         if (newPos > size) {
             expandSize(newPos);
@@ -89,7 +98,11 @@ public void close() throws IOException {
     private void expandSize(int newPos) {
         int newSize = size;
         while (newPos > newSize) {
-            newSize = newSize << 2;
+            newSize = newSize << 1;
+            // Deal with overflow
+            if (newSize < 0) {
+                newSize = Integer.MAX_VALUE;
+            }
         }
         byte newBuf[] = new byte[newSize];
         System.arraycopy(buf, 0, newBuf, 0, pos);
cea3c91106fb

[SANTUARIO-334] - UnsyncByteArrayOutputStream hangs on messages larger 512 MB

https://github.com/apache/santuario-javaColm O hEigeartaighJul 31, 2012via ghsa
commit
1 file changed · +15 2
  • src/main/java/org/apache/xml/security/utils/UnsyncByteArrayOutputStream.java+15 2 modified
    @@ -45,6 +45,9 @@ public UnsyncByteArrayOutputStream() {
     }
 
     public void write(byte[] arg0) {
+        if ((Integer.MAX_VALUE - pos) < arg0.length) {
+            throw new OutOfMemoryError();
+        }
         int newPos = pos + arg0.length;
         if (newPos > size) {
             expandSize(newPos);
@@ -54,6 +57,9 @@ public void write(byte[] arg0) {
     }
 
     public void write(byte[] arg0, int arg1, int arg2) {
+        if ((Integer.MAX_VALUE - pos) < arg2) {
+            throw new OutOfMemoryError();
+        }
         int newPos = pos + arg2;
         if (newPos > size) {
             expandSize(newPos);
@@ -62,7 +68,10 @@ public void write(byte[] arg0, int arg1, int arg2) {
         pos = newPos;
     }
 
-    public void write(int arg0) {		
+    public void write(int arg0) {
+        if ((Integer.MAX_VALUE - pos) == 0) {
+            throw new OutOfMemoryError();
+        }
         int newPos = pos + 1;
         if (newPos > size) {
             expandSize(newPos);
@@ -89,7 +98,11 @@ public void close() throws IOException {
     private void expandSize(int newPos) {
         int newSize = size;
         while (newPos > newSize) {
-            newSize = newSize << 2;
+            newSize = newSize << 1;
+            // Deal with overflow
+            if (newSize < 0) {
+                newSize = Integer.MAX_VALUE;
+            }
         }
         byte newBuf[] = new byte[newSize];
         System.arraycopy(buf, 0, newBuf, 0, pos);

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

33

News mentions

0

No linked articles in our index yet.