6830335: Java JAR Pack200 Decompression Integer Overflow Vulnerability
authorksrini
Mon, 22 Jun 2009 07:23:20 -0700 (2009-06-22)
changeset 3463 054c9c1f9fd9
parent 3462 4477fb399895
child 3464 4ef40ee318ef
6830335: Java JAR Pack200 Decompression Integer Overflow Vulnerability Summary: Fixes a potential vulnerability in the unpack200 logic, by adding extra checks, a back-port. Reviewed-by: asaha
jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp	Tue Jun 23 13:54:36 2009 -0400
+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp	Mon Jun 22 07:23:20 2009 -0700
@@ -908,10 +908,12 @@
 
   // place a limit on future CP growth:
   int generous = 0;
-  generous += u->ic_count*3; // implicit name, outer, outer.utf8
-  generous += 40;  // WKUs, misc
-  generous += u->class_count;  // implicit SourceFile strings
-  maxentries = nentries + generous;
+  generous = add_size(generous, u->ic_count); // implicit name
+  generous = add_size(generous, u->ic_count); // outer
+  generous = add_size(generous, u->ic_count); // outer.utf8
+  generous = add_size(generous, 40); // WKUs, misc
+  generous = add_size(generous, u->class_count); // implicit SourceFile strings
+  maxentries = add_size(nentries, generous);
 
   // Note that this CP does not include "empty" entries
   // for longs and doubles.  Those are introduced when