# HG changeset patch # User ksrini # Date 1266877999 28800 # Node ID 79b41f733e33a3335fa3b7f7f10f511728a88c6a # Parent efdb957bacbe37763e75b1c6e87fdfa4640fb8fc 6902299: Java JAR "unpack200" must verify input parameters Summary: Added several checks for addition of values before memory allocation Reviewed-by: asaha diff -r efdb957bacbe -r 79b41f733e33 jdk/src/share/native/com/sun/java/util/jar/pack/bytes.cpp --- a/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.cpp Fri Feb 19 22:30:52 2010 +0300 +++ b/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.cpp Mon Feb 22 14:33:19 2010 -0800 @@ -40,7 +40,7 @@ void bytes::malloc(size_t len_) { len = len_; - ptr = NEW(byte, len_+1); // add trailing zero byte always + ptr = NEW(byte, add_size(len_, 1)); // add trailing zero byte always if (ptr == null) { // set ptr to some victim memory, to ease escape set(dummy, sizeof(dummy)-1); @@ -56,7 +56,7 @@ return; } byte* oldptr = ptr; - ptr = (len_ >= PSIZE_MAX) ? null : (byte*)::realloc(ptr, len_+1); + ptr = (len_ >= PSIZE_MAX) ? null : (byte*)::realloc(ptr, add_size(len_, 1)); if (ptr != null) { mtrace('r', oldptr, 0); mtrace('m', ptr, len_+1); diff -r efdb957bacbe -r 79b41f733e33 jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp --- a/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp Fri Feb 19 22:30:52 2010 +0300 +++ b/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp Mon Feb 22 14:33:19 2010 -0800 @@ -507,7 +507,7 @@ maybe_inline void unpacker::saveTo(bytes& b, byte* ptr, size_t len) { - b.ptr = U_NEW(byte, len+1); + b.ptr = U_NEW(byte, add_size(len,1)); if (aborting()) { b.len = 0; return; @@ -1154,7 +1154,7 @@ *fillp = 0; // bigbuf must contain a well-formed Utf8 string int length = (int)(fillp - bigbuf.ptr); bytes& value = cpMap[i].value.b; - value.set(U_NEW(byte, length+1), length); + value.set(U_NEW(byte, add_size(length,1)), length); value.copyFrom(bigbuf.ptr, length); CHECK; // Index all Utf8 strings @@ -1626,7 +1626,7 @@ return no_bands; } else { int nb = bs_limit - bs_base; - band** res = U_NEW(band*, nb+1); + band** res = U_NEW(band*, add_size(nb, 1)); CHECK_(no_bands); for (int i = 0; i < nb; i++) { band* b = (band*) band_stack.get(bs_base + i); @@ -1735,7 +1735,7 @@ } // save away the case labels int ntags = band_stack.length() - case_base; - int* tags = U_NEW(int, 1+ntags); + int* tags = U_NEW(int, add_size(ntags, 1)); CHECK_(lp); k_case.le_casetags = tags; *tags++ = ntags; @@ -3139,8 +3139,8 @@ int* field_counts = T_NEW(int, nclasses); int* method_counts = T_NEW(int, nclasses); cpindex* all_indexes = U_NEW(cpindex, nclasses*2); - entry** field_ix = U_NEW(entry*, nfields+nclasses); - entry** method_ix = U_NEW(entry*, nmethods+nclasses); + entry** field_ix = U_NEW(entry*, add_size(nfields, nclasses)); + entry** method_ix = U_NEW(entry*, add_size(nmethods, nclasses)); for (j = 0; j < nfields; j++) { entry& f = fields[j]; @@ -4132,7 +4132,7 @@ } const char* suffix = ".java"; int len = (int)(prefix.len + strlen(suffix)); - bytes name; name.set(T_NEW(byte, len + 1), len); + bytes name; name.set(T_NEW(byte, add_size(len, 1)), len); name.strcat(prefix).strcat(suffix); ref = cp.ensureUtf8(name); } @@ -4647,7 +4647,7 @@ bytes& prefix = cur_class->ref(0)->value.b; const char* suffix = ".class"; int len = (int)(prefix.len + strlen(suffix)); - bytes name; name.set(T_NEW(byte, len + 1), len); + bytes name; name.set(T_NEW(byte, add_size(len, 1)), len); cur_file.name = name.strcat(prefix).strcat(suffix).strval(); } } else { @@ -4714,6 +4714,7 @@ input.ensureSize(fleft); } rplimit = rp = input.base(); + CHECK; input.setLimit(rp + fleft); if (!ensure_input(fleft)) abort("EOF reading resource file");