Saturday, July 16, 2011

Security Alert For CVE-2010-4476 Released

Java Hangs When Converting 2.2250738585072012e-308

This is an old news. On Feb. 8, 2011, Oracle released a fix for this Security Alert CVE-2010-4476. To test I wrote a short program and run it on Java 6 update 23 and yay the bug was fix :-)

package exploits;
class FreezeJava {
    static java.io.Console console = System.console();
    static {
        console.printf("The Java Bug 2.2250738585072012e-308 ");
        double d = 2.2250738585072012e-308;
        console.printf("was fix in %s%n",
                System.getProperty("java.version"));
    }
}


Konstantin Prei├čer made an interesting discovery, after reading my article “PHP Hangs On Numeric Value 2.2250738585072011e-308”: Java — both its runtime and compiler — go into an infinite loop when converting the decimal number 2.2250738585072012e-308 to double-precision binary floating-point. This number is supposed to convert to 0x1p-1022, which is DBL_MIN; instead, Java gets stuck, oscillating between 0x1p-1022 and 0x0.fffffffffffffp-1022, the largest subnormal double-precision floating-point number. 

Update: Testing 2.2250738585072012e-308. In C# .NET 1.1 output was "2.2250738585072E-308" while in Java 6 the output was "2.2250738585072014E-308".

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.