commit 774ef160d591b579f703c694002e080f99bcd28b
author Jochen Wiedmann <jochen@apache.org> Thu May 12 08:13:59 2016 +0000
committer Jochen Wiedmann <jochen@apache.org> Thu May 12 08:13:59 2016 +0000
tree f702b998b2a1c781c01984c408de71415603a41a
parent 8bf965a49a39521018c587d59dcc943278c4aee7

Fix a performance issue with large boundaries leading to a Denial of Service (CVE-2016-3092)


git-svn-id: https://svn.apache.org/repos/asf/commons/proper/fileupload/trunk@1743480 13f79535-47bb-0310-9956-ffa450edef68

src/main/java/org/apache/commons/fileupload/MultipartStream.java

diff --git a/src/main/java/org/apache/commons/fileupload/MultipartStream.java b/src/main/java/org/apache/commons/fileupload/MultipartStream.java
index 600a44e..0d05b71 100644
--- a/src/main/java/org/apache/commons/fileupload/MultipartStream.java
+++ b/src/main/java/org/apache/commons/fileupload/MultipartStream.java
@@ -325,12 +325,6 @@
         if (boundary == null) {
             throw new IllegalArgumentException("boundary may not be null");
         }
-
-        this.input = input;
-        this.bufSize = bufSize;
-        this.buffer = new byte[bufSize];
-        this.notifier = pNotifier;
-
         // We prepend CR/LF to the boundary to chop trailing CR/LF from
         // body-data tokens.
         this.boundaryLength = boundary.length + BOUNDARY_PREFIX.length;
@@ -338,6 +332,12 @@
             throw new IllegalArgumentException(
                     "The buffer size specified for the MultipartStream is too small");
         }
+
+        this.input = input;
+        this.bufSize = Math.max(bufSize, boundaryLength*2);
+        this.buffer = new byte[this.bufSize];
+        this.notifier = pNotifier;
+
         this.boundary = new byte[this.boundaryLength];
         this.keepRegion = this.boundary.length;