Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 1.45
-
Fix Version/s: 1.46
-
Labels:None
-
Environment:Java 5 or Java 6 on Mac OS X 10.5
Description
The method PGPUtil.getDecoderStream() doesn't work correctly for input streams larger than 2GB. The symptom of the problem is that when doing
(new PGPObjectFactory(PGPUtil.getDecoderStream(in))).nextObject()
on a binary symmetically encrypted PGP stream, an exception like the following is thrown:
java.lang.NegativeArraySizeException
at org.bouncycastle.bcpg.SymmetricKeyEncSessionPacket.<init>(Unknown Source)
at org.bouncycastle.bcpg.BCPGInputStream.readPacket(Unknown Source)
at org.bouncycastle.openpgp.PGPEncryptedDataList.<init>(Unknown Source)
at org.bouncycastle.openpgp.PGPObjectFactory.nextObject(Unknown Source)
The bug is actually in Sun (Oracle) code, i.e. in BufferedInputStream.available(), which reads (in Java 5): "return getInIfOpen().available() + (count - pos);" As all numbers involved in this calculation are 32bit int's, this will return a negative number for streams larger 2GB if (count - pos) > 0.
Returning a BufferedInputStream from PGPUtil.getDecoderStream() should therefore be avoided.
(new PGPObjectFactory(PGPUtil.getDecoderStream(in))).nextObject()
on a binary symmetically encrypted PGP stream, an exception like the following is thrown:
java.lang.NegativeArraySizeException
at org.bouncycastle.bcpg.SymmetricKeyEncSessionPacket.<init>(Unknown Source)
at org.bouncycastle.bcpg.BCPGInputStream.readPacket(Unknown Source)
at org.bouncycastle.openpgp.PGPEncryptedDataList.<init>(Unknown Source)
at org.bouncycastle.openpgp.PGPObjectFactory.nextObject(Unknown Source)
The bug is actually in Sun (Oracle) code, i.e. in BufferedInputStream.available(), which reads (in Java 5): "return getInIfOpen().available() + (count - pos);" As all numbers involved in this calculation are 32bit int's, this will return a negative number for streams larger 2GB if (count - pos) > 0.
Returning a BufferedInputStream from PGPUtil.getDecoderStream() should therefore be avoided.