提交 47081801 编写于 作者: M mgerdin

8027252: Crash in interpreter because get_unsigned_2_byte_index_at_bcp reads 4 bytes

Summary: Use 2-byte loads to load indexes from the byte code stream to avoid out of bounds reads.
Reviewed-by: coleenp, sspitsyn
上级 e5740cd0
...@@ -196,7 +196,7 @@ void InterpreterMacroAssembler::check_and_handle_earlyret(Register java_thread) ...@@ -196,7 +196,7 @@ void InterpreterMacroAssembler::check_and_handle_earlyret(Register java_thread)
void InterpreterMacroAssembler::get_unsigned_2_byte_index_at_bcp(Register reg, int bcp_offset) { void InterpreterMacroAssembler::get_unsigned_2_byte_index_at_bcp(Register reg, int bcp_offset) {
assert(bcp_offset >= 0, "bcp is still pointing to start of bytecode"); assert(bcp_offset >= 0, "bcp is still pointing to start of bytecode");
movl(reg, Address(rsi, bcp_offset)); load_unsigned_short(reg, Address(rsi, bcp_offset));
bswapl(reg); bswapl(reg);
shrl(reg, 16); shrl(reg, 16);
} }
......
...@@ -192,7 +192,7 @@ void InterpreterMacroAssembler::get_unsigned_2_byte_index_at_bcp( ...@@ -192,7 +192,7 @@ void InterpreterMacroAssembler::get_unsigned_2_byte_index_at_bcp(
Register reg, Register reg,
int bcp_offset) { int bcp_offset) {
assert(bcp_offset >= 0, "bcp is still pointing to start of bytecode"); assert(bcp_offset >= 0, "bcp is still pointing to start of bytecode");
movl(reg, Address(r13, bcp_offset)); load_unsigned_short(reg, Address(r13, bcp_offset));
bswapl(reg); bswapl(reg);
shrl(reg, 16); shrl(reg, 16);
} }
......
...@@ -558,7 +558,7 @@ void TemplateTable::aload() { ...@@ -558,7 +558,7 @@ void TemplateTable::aload() {
void TemplateTable::locals_index_wide(Register reg) { void TemplateTable::locals_index_wide(Register reg) {
__ movl(reg, at_bcp(2)); __ load_unsigned_short(reg, at_bcp(2));
__ bswapl(reg); __ bswapl(reg);
__ shrl(reg, 16); __ shrl(reg, 16);
__ negptr(reg); __ negptr(reg);
...@@ -1552,7 +1552,11 @@ void TemplateTable::branch(bool is_jsr, bool is_wide) { ...@@ -1552,7 +1552,11 @@ void TemplateTable::branch(bool is_jsr, bool is_wide) {
InvocationCounter::counter_offset(); InvocationCounter::counter_offset();
// Load up EDX with the branch displacement // Load up EDX with the branch displacement
__ movl(rdx, at_bcp(1)); if (is_wide) {
__ movl(rdx, at_bcp(1));
} else {
__ load_signed_short(rdx, at_bcp(1));
}
__ bswapl(rdx); __ bswapl(rdx);
if (!is_wide) __ sarl(rdx, 16); if (!is_wide) __ sarl(rdx, 16);
LP64_ONLY(__ movslq(rdx, rdx)); LP64_ONLY(__ movslq(rdx, rdx));
......
...@@ -568,7 +568,7 @@ void TemplateTable::aload() { ...@@ -568,7 +568,7 @@ void TemplateTable::aload() {
} }
void TemplateTable::locals_index_wide(Register reg) { void TemplateTable::locals_index_wide(Register reg) {
__ movl(reg, at_bcp(2)); __ load_unsigned_short(reg, at_bcp(2));
__ bswapl(reg); __ bswapl(reg);
__ shrl(reg, 16); __ shrl(reg, 16);
__ negptr(reg); __ negptr(reg);
...@@ -1575,7 +1575,11 @@ void TemplateTable::branch(bool is_jsr, bool is_wide) { ...@@ -1575,7 +1575,11 @@ void TemplateTable::branch(bool is_jsr, bool is_wide) {
InvocationCounter::counter_offset(); InvocationCounter::counter_offset();
// Load up edx with the branch displacement // Load up edx with the branch displacement
__ movl(rdx, at_bcp(1)); if (is_wide) {
__ movl(rdx, at_bcp(1));
} else {
__ load_signed_short(rdx, at_bcp(1));
}
__ bswapl(rdx); __ bswapl(rdx);
if (!is_wide) { if (!is_wide) {
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册