From 61ce0f486851397514da7d6210549c1deae8d82d Mon Sep 17 00:00:00 2001
From: mpoindexter <staticsnow@gmail.com>
Date: Thu, 21 Feb 2013 21:05:20 -0800
Subject: [PATCH] Fix ArrayIndexOutOfBounds when writing big buffer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If ChannelOutputStream.write(byte[], int, int) was called with a buffer larger
than bufferSize the loop in that method would call DataBuffer.write with a small len
and a large off.  This would cause the calculation in line 90 to return a negative n
leading to a ArrayIndexOutOfBounds.  The offset should not be taken into account when
calculating the number of bytes to put in the buffer.
---
 .../schmizz/sshj/connection/channel/ChannelOutputStream.java  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/java/net/schmizz/sshj/connection/channel/ChannelOutputStream.java b/src/main/java/net/schmizz/sshj/connection/channel/ChannelOutputStream.java
index a6e4dc6f..04071cdc 100644
--- a/src/main/java/net/schmizz/sshj/connection/channel/ChannelOutputStream.java
+++ b/src/main/java/net/schmizz/sshj/connection/channel/ChannelOutputStream.java
@@ -87,7 +87,7 @@ public final class ChannelOutputStream
                 flush(bufferSize);
                 return 0;
             } else {
-                final int n = Math.min(len - off, win.getMaxPacketSize() - bufferSize);
+                final int n = Math.min(len, win.getMaxPacketSize() - bufferSize);
                 packet.putRawBytes(data, off, n);
                 return n;
             }
@@ -214,4 +214,4 @@ public final class ChannelOutputStream
         return "< ChannelOutputStream for Channel #" + chan.getID() + " >";
     }
 
-}
\ No newline at end of file
+}