From 423dd8785c8fabf520116f83a299db8cd21b811a Mon Sep 17 00:00:00 2001
From: robm <unknown>
Date: Fri, 18 Nov 2016 14:52:52 +0000
Subject: [PATCH] 8168705: Better ObjectIdentifier validation Reviewed-by:
 ascarpino

---
 src/share/classes/sun/security/util/ObjectIdentifier.java | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/share/classes/sun/security/util/ObjectIdentifier.java b/src/share/classes/sun/security/util/ObjectIdentifier.java
index 66038a377..97dc9c5e2 100644
--- a/src/share/classes/sun/security/util/ObjectIdentifier.java
+++ b/src/share/classes/sun/security/util/ObjectIdentifier.java
@@ -255,7 +255,13 @@ class ObjectIdentifier implements Serializable
                 + " (tag = " +  type_id + ")"
                 );
 
-        encoding = new byte[in.getLength()];
+        int len = in.getLength();
+        if (len > in.available()) {
+            throw new IOException("ObjectIdentifier() -- length exceeds" +
+                    "data available.  Length: " + len + ", Available: " +
+                    in.available());
+        }
+        encoding = new byte[len];
         in.getBytes(encoding);
         check(encoding);
     }
-- 
GitLab