double d = 2.2250738585072012e-308;

General Discussions
#1

interresting ?

EDIT:
tested on Java 1.6-u21, => stuck the compilator

EDIT2:
and this one compile but stuck the JVM :
double d = Double.parseDouble(“2.2250738585072012e-308”);

#2

The real sad thing is that bug reports for this issue go back as far as 2001 :slight_smile:

#3

!! wow

PS: this bug also exist on some PHP, pretty annoying as putting this value in a formular may make the server script hang a little, and then doing that severals time can easily help to broke a server.

#4

At least now it’s got some press it’ll get fixed quickly.

Cas :slight_smile:

#5

Given the dependance that auto-boxing has on the primitive wrapper types, you’d think they would have fixed this for Java 1.5.

#6

Very quickly!

#7

:slight_smile: nice

very nice it is released as a patch it is a lot better than a JRE update, Oracle get a nice way

#8

Really? It was made public on 01/31 here:
http://www.exploringbinary.com/java-hangs-when-converting-2-2250738585072012e-308/

(and yes - it should never have been disclosed that way…)

#9

Is there any other way to disclose it? Once Oracle brings out the patch (for Java 1.4, 1.5 and 1.6), it’s trivial to reverse engineer which bug was fixed. Not providing the patch is even worse.

You can easily bring down any Java (http server) application with this. Just look for a URL (servlet) that parses doubles, and connect to it with your crafted parameters 100 times, or maybe 1000 times if there is a cluster behind a loadbalancer… still very doable to bring down an entire website from a single PC with minimal bandwidth.

#10

Just look for a URL (servlet) that parses doubles

Tomcat 5.5 parsed doubles when it read the request header (there are weights for content negotiation).

Tomcat 6 checks the length of the string first. According to the specs there should be at most 3 decimal places.

Google Docs (their Excel thing) was also affected.

#11

oracles official post on the issue

http://blogs.oracle.com/henrik/2011/02/double_trouble_-_fixing_a_java_security_issue.html

#12

Sorta amazing that it was classified as low priority bug back then.

#13

And now they’ve taken the java bug database offline now, no doubt to read them all to avoid something as embarrassing as this happening again.

#14

AAAAaaaaaahahahaha, best bug ever!