For instance, if the programmer does not explicitly check the bounds of the array, the program can crash. The language itself does not provide any features to control this, and hands over this responsibility over to programmers.

Java, as we know, is quite different. It takes away some power from the programmer in terms of what the programmer can directly do with arrays, but then it also assumes greater responsibility at the language semantics level. It does not allow a programmer to cross the boundaries of an array and possibly access other parts of memory intentionally or otherwise. Because there are no pointers, a programmer cannot bypass the mechanism of accessing array members in the standard manner anyway.

However, there is an interesting security hole that an attacker can exploit, with reference to returning arrays during method calls. To understand this clearly, let us quickly review the basics of arrays in Java for the sake of completeness.

An array is essentially a list of variables of similar type. For creating an array, we need to create the array variable of the desired type. The basic declaration of an array takes the following form:

Here, type represents the base data type of the array. The type determines the data type of each element in the array. For instance, we can create an array of integers by using the following declaration:

Although this declaration signifies that temperature is an array variable, at this juncture, no array actually exists. No memory is allocated for the storage of the array. Instead, temperature is set to null, which means an array with no value. We can conceptually think of it as a null pointer. We need to explicitly use the new operator if we want to link temperature to an array that will actually exist in memory.

The general syntax for doing this is as follows:

This creates an array of the appropriate type, containing size number of elements. They can be accessed by making use of the array-variable-name with the appropriate array index. Extending the same example, we have:

This creates an array of 31 integers, all of which can be accessed by the name temperature, suffixed with the appropriate index. For example, temperature [5] provides us the 6th array value, as the index starts counting from 0. By default, Java automatically initializes all integer array members to 0.

This reiterates the fact that in Java, arrays are implemented as objects. Our following discussion considers arrays as an example and equally applies to objects of all kinds. However, to keep things simple, we shall only talk about arrays, and ignore other kinds of objects, because the same concepts can be applied there.

Now let us think about a Java class named Example. As we can see, the class declares a private integer array named innerData. The setData () method allocates memory for five integer members of this array and initializes the values of the array members using a for loop. The displayData () method simply displays the contents of the array. The getData () method returns the array to the calling method.

public class Example {

	private int innerData [];

	public int [] getData () {
		System.out.println ("Inside getData ...");
		return innerData;
	}

	void setData () {
		System.out.println ("Inside setData ...");
		innerData = new int [5];

		for (int i=0; i < innerData.length; i++)  {
			innerData [i] = i;
		}
	}

	void displayData () {
		System.out.println ("Inside displayData ...");

		for (int i=0; i < innerData.length; i++)  {
			System.out.println (innerData [i]);
		}
	}
}

This seems to be quite fine. Let us compile this class. Then let us write another class named Tester to test the functionality of the above class.

public class Tester {

	public static void main (String args []) {

		Example example = new Example ();
		int arr []= new int [5];
		example.setData ();
		example.displayData ();
		arr = example.getData ();
		for (int i=0; i < arr.length; i++) {
				arr [i] = arr [i] * 10;
		}
		example.displayData ();
	}
}

Let us understand what we are trying to do here.