From 7081657d8f706665d8a8fc7fd87b3d69d2dc5302 Mon Sep 17 00:00:00 2001 From: ksrini Date: Mon, 22 Feb 2010 14:33:19 -0800 Subject: [PATCH] 6902299: Java JAR "unpack200" must verify input parameters Summary: Added several checks for addition of values before memory allocation Reviewed-by: asaha --- .../native/com/sun/java/util/jar/pack/bytes.cpp | 4 ++-- .../com/sun/java/util/jar/pack/unpack.cpp | 17 +++++++++-------- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/src/share/native/com/sun/java/util/jar/pack/bytes.cpp b/src/share/native/com/sun/java/util/jar/pack/bytes.cpp index 097c51cee..51f393f07 100644 --- a/src/share/native/com/sun/java/util/jar/pack/bytes.cpp +++ b/src/share/native/com/sun/java/util/jar/pack/bytes.cpp @@ -40,7 +40,7 @@ bool bytes::inBounds(const void* p) { void bytes::malloc(size_t len_) { len = len_; - ptr = NEW(byte, len_+1); // add trailing zero byte always + ptr = NEW(byte, add_size(len_, 1)); // add trailing zero byte always if (ptr == null) { // set ptr to some victim memory, to ease escape set(dummy, sizeof(dummy)-1); @@ -56,7 +56,7 @@ void bytes::realloc(size_t len_) { return; } byte* oldptr = ptr; - ptr = (len_ >= PSIZE_MAX) ? null : (byte*)::realloc(ptr, len_+1); + ptr = (len_ >= PSIZE_MAX) ? null : (byte*)::realloc(ptr, add_size(len_, 1)); if (ptr != null) { mtrace('r', oldptr, 0); mtrace('m', ptr, len_+1); diff --git a/src/share/native/com/sun/java/util/jar/pack/unpack.cpp b/src/share/native/com/sun/java/util/jar/pack/unpack.cpp index 7ca65c5d6..c880147e5 100644 --- a/src/share/native/com/sun/java/util/jar/pack/unpack.cpp +++ b/src/share/native/com/sun/java/util/jar/pack/unpack.cpp @@ -507,7 +507,7 @@ void* unpacker::alloc_heap(size_t size, bool smallOK, bool temp) { maybe_inline void unpacker::saveTo(bytes& b, byte* ptr, size_t len) { - b.ptr = U_NEW(byte, len+1); + b.ptr = U_NEW(byte, add_size(len,1)); if (aborting()) { b.len = 0; return; @@ -1154,7 +1154,7 @@ void unpacker::read_Utf8_values(entry* cpMap, int len) { *fillp = 0; // bigbuf must contain a well-formed Utf8 string int length = (int)(fillp - bigbuf.ptr); bytes& value = cpMap[i].value.b; - value.set(U_NEW(byte, length+1), length); + value.set(U_NEW(byte, add_size(length,1)), length); value.copyFrom(bigbuf.ptr, length); CHECK; // Index all Utf8 strings @@ -1626,7 +1626,7 @@ unpacker::attr_definitions::popBody(int bs_base) { return no_bands; } else { int nb = bs_limit - bs_base; - band** res = U_NEW(band*, nb+1); + band** res = U_NEW(band*, add_size(nb, 1)); CHECK_(no_bands); for (int i = 0; i < nb; i++) { band* b = (band*) band_stack.get(bs_base + i); @@ -1735,7 +1735,7 @@ unpacker::attr_definitions::parseLayout(const char* lp, band** &res, } // save away the case labels int ntags = band_stack.length() - case_base; - int* tags = U_NEW(int, 1+ntags); + int* tags = U_NEW(int, add_size(ntags, 1)); CHECK_(lp); k_case.le_casetags = tags; *tags++ = ntags; @@ -3139,8 +3139,8 @@ void cpool::initMemberIndexes() { int* field_counts = T_NEW(int, nclasses); int* method_counts = T_NEW(int, nclasses); cpindex* all_indexes = U_NEW(cpindex, nclasses*2); - entry** field_ix = U_NEW(entry*, nfields+nclasses); - entry** method_ix = U_NEW(entry*, nmethods+nclasses); + entry** field_ix = U_NEW(entry*, add_size(nfields, nclasses)); + entry** method_ix = U_NEW(entry*, add_size(nmethods, nclasses)); for (j = 0; j < nfields; j++) { entry& f = fields[j]; @@ -4132,7 +4132,7 @@ int unpacker::write_attrs(int attrc, julong indexBits) { } const char* suffix = ".java"; int len = (int)(prefix.len + strlen(suffix)); - bytes name; name.set(T_NEW(byte, len + 1), len); + bytes name; name.set(T_NEW(byte, add_size(len, 1)), len); name.strcat(prefix).strcat(suffix); ref = cp.ensureUtf8(name); } @@ -4647,7 +4647,7 @@ unpacker::file* unpacker::get_next_file() { bytes& prefix = cur_class->ref(0)->value.b; const char* suffix = ".class"; int len = (int)(prefix.len + strlen(suffix)); - bytes name; name.set(T_NEW(byte, len + 1), len); + bytes name; name.set(T_NEW(byte, add_size(len, 1)), len); cur_file.name = name.strcat(prefix).strcat(suffix).strval(); } } else { @@ -4714,6 +4714,7 @@ void unpacker::write_file_to_jar(unpacker::file* f) { input.ensureSize(fleft); } rplimit = rp = input.base(); + CHECK; input.setLimit(rp + fleft); if (!ensure_input(fleft)) abort("EOF reading resource file"); -- GitLab