Mercurial Mercurial > jdk-sandbox / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
8165936: Potential Heap buffer overflow when seaching timezone info files
authorstuefe
Tue, 13 Sep 2016 11:38:31 +0200
changeset 40974 42921b893642
parent 40973 c0727530b5d5
child 40975 680639c9b307
8165936: Potential Heap buffer overflow when seaching timezone info files Summary: readdir_r called with too small buffer Reviewed-by: clanger, rriggs, okutsu, naoto
jdk/src/java.base/unix/native/libjava/TimeZone_md.c file | annotate | diff | comparison | revisions 
--- a/jdk/src/java.base/unix/native/libjava/TimeZone_md.c	Thu Sep 15 01:10:36 2016 -0700
+++ b/jdk/src/java.base/unix/native/libjava/TimeZone_md.c	Tue Sep 13 11:38:31 2016 +0200
@@ -128,13 +128,26 @@
     char *dbuf = NULL;
     char *tz = NULL;
     int res;
+    long name_max = 0;
 
     dirp = opendir(dir);
     if (dirp == NULL) {
         return NULL;
     }
 
-    entry = (struct dirent64 *) malloc((size_t) pathconf(dir, _PC_NAME_MAX));
+    name_max = pathconf(dir, _PC_NAME_MAX);
+    // If pathconf did not work, fall back to NAME_MAX.
+    if (name_max < 0) {
+        name_max = NAME_MAX;
+    }
+    // Some older System V systems have a very small NAME_MAX size of 14; as
+    // there is no way to tell readdir_r the output buffer size, lets enforce
+    // a mimimum buffer size.
+    if (name_max < 1024) {
+        name_max = 1024;
+    }
+
+    entry = (struct dirent64 *)malloc(offsetof(struct dirent64, d_name) + name_max + 1);
     if (entry == NULL) {
         (void) closedir(dirp);
         return NULL;
jdk-sandbox