Skip to content

Potential integer overflow in ExecutorConfigurationSupport.setAwaitTerminationSeconds(int) and AbstractResourceBasedMessageSource.setCacheSeconds(int) #25613

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
TomaszPierzchala opened this issue Aug 19, 2020 · 1 comment
Closed

Potential integer overflow in ExecutorConfigurationSupport.setAwaitTerminationSeconds(int) and AbstractResourceBasedMessageSource.setCacheSeconds(int) #25613

TomaszPierzchala opened this issue Aug 19, 2020 · 1 comment
Assignees
@jhoeller
Labels
in: core Issues in core modules (aop, beans, core, context, expression) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Milestone
5.2.9

Comments

@TomaszPierzchala
Copy link

Affects: 5.2.8.RELEASE
There is a small bug in the class org.springframework.scheduling.concurrent.ExecutorConfigurationSupport
in the method :

public void setAwaitTerminationSeconds(int awaitTerminationSeconds) {
		this.awaitTerminationMillis = awaitTerminationSeconds * 1000;
}

When the input parameter awaitTerminationSeconds is bigger then Integer.MAX_VALUE/1000
the value asigned to long this.awaitTerminationMillis can even be negative !

I recommend changing the 1000 to the 1000l long version as below

public void setAwaitTerminationSeconds(int awaitTerminationSeconds) {
		this.awaitTerminationMillis = awaitTerminationSeconds * 1000l;
}
@TomaszPierzchala TomaszPierzchala changed the title Bug in method : public void setAwaitTerminationSeconds(int ) of org.springframework.scheduling.concurrent.ExecutorConfigurationSupport Bug in the method : public void setAwaitTerminationSeconds(int ) of org.springframework.scheduling.concurrent.ExecutorConfigurationSupport Aug 19, 2020
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged or decided on label Aug 19, 2020
@jhoeller jhoeller changed the title Bug in the method : public void setAwaitTerminationSeconds(int ) of org.springframework.scheduling.concurrent.ExecutorConfigurationSupport Potential integer overflow in ExecutorConfigurationSupport.setAwaitTerminationSeconds(int) Aug 25, 2020
@jhoeller jhoeller self-assigned this Aug 25, 2020
@jhoeller jhoeller added in: core Issues in core modules (aop, beans, core, context, expression) type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged or decided on labels Aug 25, 2020
@jhoeller jhoeller added this to the 5.2.9 milestone Aug 25, 2020
@jhoeller
Copy link
Contributor

Thanks for spotting this! It may be rare to specify such a large value there but it still needs to work correctly.

This also applies to AbstractResourceBasedMessageSource.setCacheSeconds where I'll fix it the same way.

@spring-projects-issues spring-projects-issues added status: backported An issue that has been backported to maintenance branches and removed for: backport-to-5.1.x labels Aug 25, 2020
Closed
Closed
Closed
@jhoeller jhoeller changed the title Potential integer overflow in ExecutorConfigurationSupport.setAwaitTerminationSeconds(int) Potential integer overflow in ExecutorConfigurationSupport.setAwaitTerminationSeconds(int) and AbstractResourceBasedMessageSource.setCacheSeconds(int) Aug 27, 2020
jhoeller added a commit that referenced this issue Aug 27, 2020
@jhoeller
Avoid potential integer overflow in seconds->millis transformation

Verified

This commit was signed with the committer’s verified signature.
vcfxb Venus Xeon-Blonde
GPG key ID: 888619DEE5BA452F
Verified
Learn about vigilant mode
f744088 
Closes gh-25613
jhoeller added a commit that referenced this issue Aug 27, 2020
@jhoeller
Avoid potential integer overflow in seconds->millis transformation

Verified

This commit was signed with the committer’s verified signature.
vcfxb Venus Xeon-Blonde
GPG key ID: 888619DEE5BA452F
Verified
Learn about vigilant mode
e4bf015 
Closes gh-25613
jhoeller added a commit that referenced this issue Aug 27, 2020
@jhoeller
Avoid potential integer overflow in seconds->millis transformation
6c977e9 
Closes gh-25613
@sync-by-unito sync-by-unito bot mentioned this issue Sep 16, 2020
Merged
engimatic pushed a commit to engimatic/spring-framework that referenced this issue Sep 29, 2020
@jhoeller @engimatic
Avoid potential integer overflow in seconds->millis transformation
b783041 
Closes spring-projectsgh-25613
zx20110729 pushed a commit to zx20110729/spring-framework that referenced this issue Feb 18, 2022
@jhoeller @zx20110729
Avoid potential integer overflow in seconds->millis transformation
eb8afcb 
Closes spring-projectsgh-25613
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jhoeller jhoeller

Labels
in: core Issues in core modules (aop, beans, core, context, expression) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Projects
None yet
Milestone
5.2.9
Development

No branches or pull requests
3 participants
@jhoeller @TomaszPierzchala @spring-projects-issues