6806226: Signed integer overflow in growable array code causes JVM crash
Summary: Workaround the overflow by doing the intermediate calculations in an unsigned variable.
Reviewed-by: ysr, jcoomes
--- a/hotspot/src/share/vm/utilities/growableArray.cpp Fri Feb 20 11:12:26 2009 -0800
+++ b/hotspot/src/share/vm/utilities/growableArray.cpp Tue Feb 24 22:12:24 2009 -0800
@@ -43,11 +43,13 @@
#endif
void* GenericGrowableArray::raw_allocate(int elementSize) {
+ assert(_max >= 0, "integer overflow");
+ size_t byte_size = elementSize * (size_t) _max;
if (on_stack()) {
- return (void*)resource_allocate_bytes(elementSize * _max);
+ return (void*)resource_allocate_bytes(byte_size);
} else if (on_C_heap()) {
- return (void*)AllocateHeap(elementSize * _max, "GrET in " __FILE__);
+ return (void*)AllocateHeap(byte_size, "GrET in " __FILE__);
} else {
- return _arena->Amalloc(elementSize * _max);
+ return _arena->Amalloc(byte_size);
}
}