6902299: Java JAR "unpack200" must verify input parameters

Summary: Added several checks for addition of values before memory allocation
Reviewed-by: asaha

src/share/native/com/sun/java/util/jar/pack/bytes.cpp

@@ -40,7 +40,7 @@ bool bytes::inBounds(const void* p) {
 
 void bytes::malloc(size_t len_) {
   len = len_;
-  ptr = NEW(byte, len_+1);  // add trailing zero byte always
+  ptr = NEW(byte, add_size(len_, 1));  // add trailing zero byte always
   if (ptr == null) {
     // set ptr to some victim memory, to ease escape
     set(dummy, sizeof(dummy)-1);
@@ -56,7 +56,7 @@ void bytes::realloc(size_t len_) {
     return;
   }
   byte* oldptr = ptr;
-  ptr = (len_ >= PSIZE_MAX) ? null : (byte*)::realloc(ptr, len_+1);
+  ptr = (len_ >= PSIZE_MAX) ? null : (byte*)::realloc(ptr, add_size(len_, 1));
   if (ptr != null)  {
     mtrace('r', oldptr, 0);
     mtrace('m', ptr, len_+1);

src/share/native/com/sun/java/util/jar/pack/unpack.cpp

@@ -507,7 +507,7 @@ void* unpacker::alloc_heap(size_t size, bool smallOK, bool temp) {
 
 maybe_inline
 void unpacker::saveTo(bytes& b, byte* ptr, size_t len) {
-  b.ptr = U_NEW(byte, len+1);
+  b.ptr = U_NEW(byte, add_size(len,1));
   if (aborting()) {
     b.len = 0;
     return;
@@ -1154,7 +1154,7 @@ void unpacker::read_Utf8_values(entry* cpMap, int len) {
     *fillp = 0;  // bigbuf must contain a well-formed Utf8 string
     int length = (int)(fillp - bigbuf.ptr);
     bytes& value = cpMap[i].value.b;
-    value.set(U_NEW(byte, length+1), length);
+    value.set(U_NEW(byte, add_size(length,1)), length);
     value.copyFrom(bigbuf.ptr, length);
     CHECK;
     // Index all Utf8 strings
@@ -1626,7 +1626,7 @@ unpacker::attr_definitions::popBody(int bs_base) {
     return no_bands;
   } else {
     int nb = bs_limit - bs_base;
-    band** res = U_NEW(band*, nb+1);
+    band** res = U_NEW(band*, add_size(nb, 1));
     CHECK_(no_bands);
     for (int i = 0; i < nb; i++) {
       band* b = (band*) band_stack.get(bs_base + i);
@@ -1735,7 +1735,7 @@ unpacker::attr_definitions::parseLayout(const char* lp, band** &res,
             }
             // save away the case labels
             int ntags = band_stack.length() - case_base;
-            int* tags = U_NEW(int, 1+ntags);
+            int* tags = U_NEW(int, add_size(ntags, 1));
             CHECK_(lp);
             k_case.le_casetags = tags;
             *tags++ = ntags;
@@ -3139,8 +3139,8 @@ void cpool::initMemberIndexes() {
   int*     field_counts  = T_NEW(int, nclasses);
   int*     method_counts = T_NEW(int, nclasses);
   cpindex* all_indexes   = U_NEW(cpindex, nclasses*2);
-  entry**  field_ix      = U_NEW(entry*, nfields+nclasses);
-  entry**  method_ix     = U_NEW(entry*, nmethods+nclasses);
+  entry**  field_ix      = U_NEW(entry*, add_size(nfields, nclasses));
+  entry**  method_ix     = U_NEW(entry*, add_size(nmethods, nclasses));
 
   for (j = 0; j < nfields; j++) {
     entry& f = fields[j];
@@ -4132,7 +4132,7 @@ int unpacker::write_attrs(int attrc, julong indexBits) {
           }
           const char* suffix = ".java";
           int len = (int)(prefix.len + strlen(suffix));
-          bytes name; name.set(T_NEW(byte, len + 1), len);
+          bytes name; name.set(T_NEW(byte, add_size(len, 1)), len);
           name.strcat(prefix).strcat(suffix);
           ref = cp.ensureUtf8(name);
         }
@@ -4647,7 +4647,7 @@ unpacker::file* unpacker::get_next_file() {
       bytes& prefix = cur_class->ref(0)->value.b;
       const char* suffix = ".class";
       int len = (int)(prefix.len + strlen(suffix));
-      bytes name; name.set(T_NEW(byte, len + 1), len);
+      bytes name; name.set(T_NEW(byte, add_size(len, 1)), len);
       cur_file.name = name.strcat(prefix).strcat(suffix).strval();
     }
   } else {
@@ -4714,6 +4714,7 @@ void unpacker::write_file_to_jar(unpacker::file* f) {
         input.ensureSize(fleft);
       }
       rplimit = rp = input.base();
+      CHECK;
       input.setLimit(rp + fleft);
       if (!ensure_input(fleft))
         abort("EOF reading resource file");