From 35e1369c771099583b09158453692e7ba26610ef Mon Sep 17 00:00:00 2001
From: Ralph Loader <rcl@ihug.co.nz>
Date: Thu, 16 Oct 2003 21:35:42 +0000
Subject: StringBuffer.java (getChars): Fix array index checks.

	* java/lang/StringBuffer.java (getChars): Fix array index checks.
	(append, substring, insert): Likewise.
	* testsuite/libjava.lang/StringBuffer_overflow.java: New file.
	* testsuite/libjava.lang/StringBuffer_overflow.out: New file.

From-SVN: r72579
---
 libjava/java/lang/StringBuffer.java | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

(limited to 'libjava/java/lang')

diff --git a/libjava/java/lang/StringBuffer.java b/libjava/java/lang/StringBuffer.java
index 0903b40..92f9615 100644
--- a/libjava/java/lang/StringBuffer.java
+++ b/libjava/java/lang/StringBuffer.java
@@ -244,10 +244,9 @@ public final class StringBuffer implements Serializable, CharSequence
   public synchronized void getChars(int srcOffset, int srcEnd,
                                     char[] dst, int dstOffset)
   {
-    int todo = srcEnd - srcOffset;
-    if (srcOffset < 0 || srcEnd > count || todo < 0)
+    if (srcOffset < 0 || srcEnd > count || srcEnd < srcOffset)
       throw new StringIndexOutOfBoundsException();
-    System.arraycopy(value, srcOffset, dst, dstOffset, todo);
+    System.arraycopy(value, srcOffset, dst, dstOffset, srcEnd - srcOffset);
   }
 
   /**
@@ -355,6 +354,8 @@ public final class StringBuffer implements Serializable, CharSequence
    */
   public synchronized StringBuffer append(char[] data, int offset, int count)
   {
+    if (offset < 0 || count < 0 || offset > data.length - count)
+      throw new StringIndexOutOfBoundsException();
     ensureCapacity_unsynchronized(this.count + count);
     System.arraycopy(data, offset, value, this.count, count);
     this.count += count;
@@ -560,7 +561,7 @@ public final class StringBuffer implements Serializable, CharSequence
   public synchronized String substring(int beginIndex, int endIndex)
   {
     int len = endIndex - beginIndex;
-    if (beginIndex < 0 || endIndex > count || len < 0)
+    if (beginIndex < 0 || endIndex > count || endIndex < beginIndex)
       throw new StringIndexOutOfBoundsException();
     if (len == 0)
       return "";
@@ -589,7 +590,7 @@ public final class StringBuffer implements Serializable, CharSequence
                                           char[] str, int str_offset, int len)
   {
     if (offset < 0 || offset > count || len < 0
-        || str_offset < 0 || str_offset + len > str.length)
+        || str_offset < 0 || str_offset > str.length - len)
       throw new StringIndexOutOfBoundsException();
     ensureCapacity_unsynchronized(count + len);
     System.arraycopy(value, offset, value, offset + len, count - offset);
-- 
cgit v1.1