6830335: Java JAR Pack200 Decompression Integer Overflow Vulnerability

Summary: Fixes a potential vulnerability in the unpack200 logic, by adding extra checks, a back-port. Reviewed-by: asaha

6830335: Java JAR Pack200 Decompression Integer Overflow Vulnerability
Summary: Fixes a potential vulnerability in the unpack200 logic, by adding extra checks, a back-port. Reviewed-by: asaha
85d6f7d8 · ksrini · 2ba224d3 · 85d6f7d8
隐藏空白更改
内联并排

Showing with 6 addition and 4 deletion

src/share/native/com/sun/java/util/jar/pack/unpack.cpp src/share/native/com/sun/java/util/jar/pack/unpack.cpp +6 -4

未找到文件。
--- a/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
+++ b/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
@@ -908,10 +908,12 @@ void cpool::init(unpacker* u_, int counts[NUM_COUNTS]) {

  // place a limit on future CP growth:
  int generous = 0;
-  generous += u->ic_count*3; // implicit name, outer, outer.utf8
-  generous += 40;  // WKUs, misc
-  generous += u->class_count;  // implicit SourceFile strings
-  maxentries = nentries + generous;
+  generous = add_size(generous, u->ic_count); // implicit name
+  generous = add_size(generous, u->ic_count); // outer
+  generous = add_size(generous, u->ic_count); // outer.utf8
+  generous = add_size(generous, 40); // WKUs, misc
+  generous = add_size(generous, u->class_count); // implicit SourceFile strings
+  maxentries = add_size(nentries, generous);

  // Note that this CP does not include "empty" entries
  // for longs and doubles.  Those are introduced when