6902299: Java JAR "unpack200" must verify input parameters
Summary: Added several checks for addition of values before memory allocation
Reviewed-by: asaha
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.cpp Fri Feb 19 22:30:52 2010 +0300
+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/bytes.cpp Mon Feb 22 14:33:19 2010 -0800
@@ -40,7 +40,7 @@
void bytes::malloc(size_t len_) {
len = len_;
- ptr = NEW(byte, len_+1); // add trailing zero byte always
+ ptr = NEW(byte, add_size(len_, 1)); // add trailing zero byte always
if (ptr == null) {
// set ptr to some victim memory, to ease escape
set(dummy, sizeof(dummy)-1);
@@ -56,7 +56,7 @@
return;
}
byte* oldptr = ptr;
- ptr = (len_ >= PSIZE_MAX) ? null : (byte*)::realloc(ptr, len_+1);
+ ptr = (len_ >= PSIZE_MAX) ? null : (byte*)::realloc(ptr, add_size(len_, 1));
if (ptr != null) {
mtrace('r', oldptr, 0);
mtrace('m', ptr, len_+1);
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp Fri Feb 19 22:30:52 2010 +0300
+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp Mon Feb 22 14:33:19 2010 -0800
@@ -507,7 +507,7 @@
maybe_inline
void unpacker::saveTo(bytes& b, byte* ptr, size_t len) {
- b.ptr = U_NEW(byte, len+1);
+ b.ptr = U_NEW(byte, add_size(len,1));
if (aborting()) {
b.len = 0;
return;
@@ -1154,7 +1154,7 @@
*fillp = 0; // bigbuf must contain a well-formed Utf8 string
int length = (int)(fillp - bigbuf.ptr);
bytes& value = cpMap[i].value.b;
- value.set(U_NEW(byte, length+1), length);
+ value.set(U_NEW(byte, add_size(length,1)), length);
value.copyFrom(bigbuf.ptr, length);
CHECK;
// Index all Utf8 strings
@@ -1626,7 +1626,7 @@
return no_bands;
} else {
int nb = bs_limit - bs_base;
- band** res = U_NEW(band*, nb+1);
+ band** res = U_NEW(band*, add_size(nb, 1));
CHECK_(no_bands);
for (int i = 0; i < nb; i++) {
band* b = (band*) band_stack.get(bs_base + i);
@@ -1735,7 +1735,7 @@
}
// save away the case labels
int ntags = band_stack.length() - case_base;
- int* tags = U_NEW(int, 1+ntags);
+ int* tags = U_NEW(int, add_size(ntags, 1));
CHECK_(lp);
k_case.le_casetags = tags;
*tags++ = ntags;
@@ -3139,8 +3139,8 @@
int* field_counts = T_NEW(int, nclasses);
int* method_counts = T_NEW(int, nclasses);
cpindex* all_indexes = U_NEW(cpindex, nclasses*2);
- entry** field_ix = U_NEW(entry*, nfields+nclasses);
- entry** method_ix = U_NEW(entry*, nmethods+nclasses);
+ entry** field_ix = U_NEW(entry*, add_size(nfields, nclasses));
+ entry** method_ix = U_NEW(entry*, add_size(nmethods, nclasses));
for (j = 0; j < nfields; j++) {
entry& f = fields[j];
@@ -4132,7 +4132,7 @@
}
const char* suffix = ".java";
int len = (int)(prefix.len + strlen(suffix));
- bytes name; name.set(T_NEW(byte, len + 1), len);
+ bytes name; name.set(T_NEW(byte, add_size(len, 1)), len);
name.strcat(prefix).strcat(suffix);
ref = cp.ensureUtf8(name);
}
@@ -4647,7 +4647,7 @@
bytes& prefix = cur_class->ref(0)->value.b;
const char* suffix = ".class";
int len = (int)(prefix.len + strlen(suffix));
- bytes name; name.set(T_NEW(byte, len + 1), len);
+ bytes name; name.set(T_NEW(byte, add_size(len, 1)), len);
cur_file.name = name.strcat(prefix).strcat(suffix).strval();
}
} else {
@@ -4714,6 +4714,7 @@
input.ensureSize(fleft);
}
rplimit = rp = input.base();
+ CHECK;
input.setLimit(rp + fleft);
if (!ensure_input(fleft))
abort("EOF reading resource file");