8163518: Integer overflow in StringBufferInputStream.read() and CharArrayReader.read/skip()
Reviewed-by: rriggs, shade
--- a/jdk/src/java.base/share/classes/java/io/CharArrayReader.java Thu Aug 11 13:10:54 2016 +0800
+++ b/jdk/src/java.base/share/classes/java/io/CharArrayReader.java Thu Aug 11 17:03:40 2016 +0300
@@ -131,8 +131,10 @@
if (pos >= count) {
return -1;
}
- if (pos + len > count) {
- len = count - pos;
+
+ int avail = count - pos;
+ if (len > avail) {
+ len = avail;
}
if (len <= 0) {
return 0;
@@ -158,8 +160,10 @@
public long skip(long n) throws IOException {
synchronized (lock) {
ensureOpen();
- if (pos + n > count) {
- n = count - pos;
+
+ long avail = count - pos;
+ if (n > avail) {
+ n = avail;
}
if (n < 0) {
return 0;
--- a/jdk/src/java.base/share/classes/java/io/StringBufferInputStream.java Thu Aug 11 13:10:54 2016 +0800
+++ b/jdk/src/java.base/share/classes/java/io/StringBufferInputStream.java Thu Aug 11 17:03:40 2016 +0300
@@ -118,8 +118,10 @@
if (pos >= count) {
return -1;
}
- if (pos + len > count) {
- len = count - pos;
+
+ int avail = count - pos;
+ if (len > avail) {
+ len = avail;
}
if (len <= 0) {
return 0;
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/java/io/CharArrayReader/OverflowInRead.java Thu Aug 11 17:03:40 2016 +0300
@@ -0,0 +1,50 @@
+/*
+ * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/* @test
+ * @bug 8163518
+ * @summary Integer overflow when reading in large buffer
+ * @requires (os.simpleArch == "x64" & os.maxMemory > 8g)
+ * @run main/othervm -Xmx8g OverflowInRead
+ */
+
+import java.io.CharArrayReader;
+
+public class OverflowInRead {
+ public static void main(String[] args) throws Exception {
+ char[] a = "_123456789_123456789_123456789_123456789"
+ .toCharArray(); // a.length > 33
+ try (CharArrayReader car = new CharArrayReader(a)) {
+ int len1 = 33;
+ char[] buf1 = new char[len1];
+ if (car.read(buf1, 0, len1) != len1)
+ throw new Exception("Expected to read " + len1 + " chars");
+
+ int len2 = Integer.MAX_VALUE - 32;
+ char[] buf2 = new char[len2];
+ int expLen2 = a.length - len1;
+ if (car.read(buf2, 0, len2) != expLen2)
+ throw new Exception("Expected to read " + expLen2 + " chars");
+ }
+ }
+}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/java/io/CharArrayReader/OverflowInSkip.java Thu Aug 11 17:03:40 2016 +0300
@@ -0,0 +1,51 @@
+/*
+ * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/* @test
+ * @bug 8163518
+ * @summary Integer overflow when skipping a lot
+ */
+
+import java.io.CharArrayReader;
+
+public class OverflowInSkip {
+ public static void main(String[] args) throws Exception {
+ char[] a = "_123456789_123456789_123456789_123456789"
+ .toCharArray(); // a.length > 33
+ try (CharArrayReader car = new CharArrayReader(a)) {
+ long small = 33;
+ long big = Long.MAX_VALUE;
+
+ long smallSkip = car.skip(small);
+ if (smallSkip != small)
+ throw new Exception("Expected to skip " + small
+ + " chars, but skipped " + smallSkip);
+
+ long expSkip = a.length - small;
+ long bigSkip = car.skip(big);
+ if (bigSkip != expSkip)
+ throw new Exception("Expected to skip " + expSkip
+ + " chars, but skipped " + bigSkip);
+ }
+ }
+}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/java/io/StringBufferInputStream/OverflowInRead.java Thu Aug 11 17:03:40 2016 +0300
@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/* @test
+ * @bug 8163518
+ * @summary Integer overflow when reading in large buffer
+ * @requires (os.simpleArch == "x64" & os.maxMemory > 4g)
+ * @run main/othervm -Xmx4g OverflowInRead
+ */
+
+import java.io.StringBufferInputStream;
+
+public class OverflowInRead {
+ public static void main(String[] args) throws Exception {
+ String s = "_123456789_123456789_123456789_123456789"; // s.length() > 33
+ try (StringBufferInputStream sbis = new StringBufferInputStream(s)) {
+ int len1 = 33;
+ byte[] buf1 = new byte[len1];
+ if (sbis.read(buf1, 0, len1) != len1)
+ throw new Exception("Expected to read " + len1 + " bytes");
+
+ int len2 = Integer.MAX_VALUE - 32;
+ byte[] buf2 = new byte[len2];
+ int expLen2 = s.length() - len1;
+ if (sbis.read(buf2, 0, len2) != expLen2)
+ throw new Exception("Expected to read " + expLen2 + " bytes");
+ }
+ }
+}