Merge

.hgtags

@@ -358,6 +358,7 @@ a21dd7999d1e4ba612c951c2c78504d23eb7243a jdk8u31-b11
 ced84cf3eebc69f7e04b0098d85dcb3a6b872586 jdk8u31-b31
 46338075c4262057099e57638e0758817052da0d jdk8u31-b32
 a1c3099e1b90230435e890ca56adc8a5aa5149ff jdk8u31-b33
+35dfb86684554685d6efd2fc7fd5eb9b7d4545c5 jdk8u31-b34
 e6ed015afbbf3459ba3297e270b4f3170e989c80 jdk8u40-b00
 6e223d48080ef40f4ec11ecbcd19b4a20813b9eb jdk8u40-b01
 4797cd0713b44b009525f1276d571ade7e24f3f5 jdk8u40-b02
@@ -429,6 +430,8 @@ b7403e15864dc0c1f9740d66af91bddb3e2215e8 jdk8u51-b14
 192bda44c0c463104c96058bb815a546b282ca43 jdk8u51-b15
 ee86422973691bb7efae58d201e5a382ea0bb150 jdk8u51-b16
 f94ea276f608b22d78281d70361092ba4864038e jdk8u51-b31
+887dde3afb3bb233958775de22eafb3328af6437 jdk8u51-b32
+dc7b827522bc3a804f7e8951cc27414f19a7c427 jdk8u51-b33
 5c31204d19e5976f025026db3d5c17331e8c44db jdk8u60-b00
 c46daef6edb5385d11876ed40f292a4b62e96867 jdk8u60-b01
 c10fd784956cc7099657181029ac3e790267b678 jdk8u60-b02
@@ -457,6 +460,8 @@ d433f5fd8910bee1f2c295b65cf03977034fe0ea jdk8u60-b24
 c8cfbe57bcd5042d2fef42dcef14d73dd4bdc416 jdk8u60-b25
 0d6a8a9b26a37678b420ff540b5a622c3f4fd44c jdk8u60-b26
 afbc08ea922bf6e5e14d2eea24a2f94f37627ea7 jdk8u60-b27
+1450696a76c667e6f189d026408182a002b93fa7 jdk8u60-b31
+fe24fa1e6d995390df6491975352a15634981b35 jdk8u60-b32
 286b9a885fcc6245fdf2b20697473ec3b35f2538 jdk8u65-b00
 80a796d0db958f49a4b0713818227eda8e5efbb9 jdk8u65-b01
 77d48e6d111faec236c8678997ae4311151cfee4 jdk8u65-b02
@@ -489,12 +494,41 @@ e951c898bb6ca7be2ce49ac23f8442c0bccad4e9 jdk8u66-b13
 ea602badedd0cd0c352c072220a884e8f1335e33 jdk8u66-b15
 5ceafca6a734e13d51319df6afd40678d68f9851 jdk8u66-b16
 e6d562c0f079dfd1e21c3734b2dca16f4b2e2494 jdk8u66-b17
+fd2fe69089aca0f187901a5f6f8bfe261ff17f5b jdk8u66-b18
+f712dceafb546ea5833aeea507b5736e7e45f1ae jdk8u66-b31
+9a2747ef337bdee71bc8225dea77eb403cca1179 jdk8u71-b00
+e8b5e10a19d66a77d04f12d4677e6fec66f79651 jdk8u71-b01
+25d689a73bc037e1710f95f6d4acf0671d22047d jdk8u71-b02
+ab54163c8610f6238a1d5f1f67cbd19ba13d08a0 jdk8u71-b03
+5ea62bb625b6b8f828098884d13eb2e3114a7c97 jdk8u71-b04
+1a9ced1852957b65e0c156602c3101aff17274fb jdk8u71-b05
+be9d91d310a02c2974d2bdabc31d8a6df8ad596e jdk8u71-b06
+f556d4c82ef13430e2708053caa9e11a74b2aebf jdk8u71-b07
+a81edad7e1e16c2b3cf2e60a8a98e232ebcaf3b1 jdk8u71-b08
+eac13ca04cc5c9adb4f14a76856376db0187f7dc jdk8u71-b09
+e494e93d48f943229223d881a2928064a69cdf23 jdk8u71-b10
+32226f73879f21f7a7bb024f4197c089b53a93c4 jdk8u71-b11
+8181f8b6ef0d861f57547c89e52f258cb5583b77 jdk8u71-b12
+23a6e0931277e7d4278605f55db2c81fcb3907b0 jdk8u71-b13
+1ad1d1b46fef8bf88f36b8d0fae6b51df2de7fb2 jdk8u71-b14
+06e7500086a69545a9f55bf5fec23969abe32c57 jdk8u71-b15
 be5faa9c77042f202106c18f4e8ea211137b4a3b jdk8u72-b00
 5ad1e9e8e8417f80c91d7e0f1f44cdf89b34ead3 jdk8u72-b01
 ab0c1040414d038ccbcfcc8ceb1ccf2f44ead8e4 jdk8u72-b02
 bdbb8a650d90d3481802a4f5297b522a16bd3f63 jdk8u72-b03
 b6645d81ccd773820aca99548640ace9c2f39225 jdk8u72-b04
 2bae9d627eb83f2ea23f4fa86e8eb46920cd1be6 jdk8u72-b05
+93148bc60f510af5160b6727533733c66284a84f jdk8u72-b06
+2a18f2af436ea62e7565ca0324f99112ef9cd4bc jdk8u72-b07
+c7d5bd8d04eb5d2adbb1112de95a2e2986e85925 jdk8u72-b08
+ff73e114d682ec14c11099c6c5d48b75bf685394 jdk8u72-b09
+dcf7fd07b08b59e1802851d016d913c254221a44 jdk8u72-b10
+d7cc3225f1050de03b236b92e12c547f21697013 jdk8u72-b11
+8afb58c7312b45fe5237afb0292176b734934f60 jdk8u72-b12
+d841d3fdae44f120883dab0a3a809a054cd0274b jdk8u72-b13
+f6d24d424cd2af4d2612f7737d3d9a25f58b882d jdk8u72-b14
+f3e86cc607260bae368b52d88d7bc8883ee767e3 jdk8u72-b15
 39baa472e20c13c0eb1243eb5dce589e82f78143 jdk8u76-b00
 6ea3aea950d19d803475b3f4d704a2942e71b302 jdk8u76-b01
 4de4cffb5988cd68959ce4bbd14c6d4547078c91 jdk8u76-b02
+8bef978e2374604f449b4d1d7f90cb26618540d7 jdk8u76-b03

src/macosx/classes/sun/lwawt/macosx/CPrinterJob.java

 /*
- * Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -234,6 +234,11 @@ public final class CPrinterJob extends RasterPrinterJob {
         // this will not work if the user clicks on the "Preview" button
         // However if the printer is a StreamPrintService, its the right path.
         PrintService psvc = getPrintService();
+
+        if (psvc == null) {
+            throw new PrinterException("No print service found.");
+        }
+
         if (psvc instanceof StreamPrintService) {
             spoolToService(psvc, attributes);
             return;
@@ -775,4 +780,4 @@ public final class CPrinterJob extends RasterPrinterJob {
                 (float) (paper.getImageableHeight() / dpi),
                 MediaPrintableArea.INCH);
     }
-}
+}
\ No newline at end of file

src/share/classes/com/sun/crypto/provider/PBES2Core.java

 /*
- * Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -263,7 +263,7 @@ abstract class PBES2Core extends CipherSpi {
             passwdChars[i] = (char) (passwdBytes[i] & 0x7f);
 
         PBEKeySpec pbeSpec =
-            new PBEKeySpec(passwdChars, salt, iCount, blkSize * 8);
+            new PBEKeySpec(passwdChars, salt, iCount, keyLength);
             // password char[] was cloned in PBEKeySpec constructor,
             // so we can zero it out here
         java.util.Arrays.fill(passwdChars, ' ');

src/share/classes/com/sun/crypto/provider/TlsRsaPremasterSecretGenerator.java

@@ -74,11 +74,14 @@ public final class TlsRsaPremasterSecretGenerator extends KeyGeneratorSpi {
                 "TlsRsaPremasterSecretGenerator must be initialized");
         }
 
-        if (random == null) {
-            random = new SecureRandom();
+        byte[] b = spec.getEncodedSecret();
+        if (b == null) {
+            if (random == null) {
+                random = new SecureRandom();
+            }
+            b = new byte[48];
+            random.nextBytes(b);
         }
-        byte[] b = new byte[48];
-        random.nextBytes(b);
         b[0] = (byte)spec.getMajorVersion();
         b[1] = (byte)spec.getMinorVersion();
 

src/share/classes/java/net/URL.java

 /*
- * Copyright (c) 1995, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1995, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -27,6 +27,10 @@ package java.net;
 
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.InvalidObjectException;
+import java.io.ObjectStreamException;
+import java.io.ObjectStreamField;
+import java.io.ObjectInputStream.GetField;
 import java.util.Hashtable;
 import java.util.StringTokenizer;
 import sun.security.util.SecurityConstants;
@@ -135,6 +139,7 @@ import sun.security.util.SecurityConstants;
  */
 public final class URL implements java.io.Serializable {
 
+    static final String BUILTIN_HANDLERS_PREFIX = "sun.net.www.protocol";
     static final long serialVersionUID = -7627629688361524110L;
 
     /**
@@ -219,6 +224,8 @@ public final class URL implements java.io.Serializable {
      */
     private int hashCode = -1;
 
+    private transient UrlDeserializedState tempState;
+
     /**
      * Creates a {@code URL} object from the specified
      * {@code protocol}, {@code host}, {@code port}
@@ -1219,6 +1226,31 @@ public final class URL implements java.io.Serializable {
 
     }
 
+    /**
+     * @serialField    protocol String
+     *
+     * @serialField    host String
+     *
+     * @serialField    port int
+     *
+     * @serialField    authority String
+     *
+     * @serialField    file String
+     *
+     * @serialField    ref String
+     *
+     * @serialField    hashCode int
+     *
+     */
+    private static final ObjectStreamField[] serialPersistentFields = {
+        new ObjectStreamField("protocol", String.class),
+        new ObjectStreamField("host", String.class),
+        new ObjectStreamField("port", int.class),
+        new ObjectStreamField("authority", String.class),
+        new ObjectStreamField("file", String.class),
+        new ObjectStreamField("ref", String.class),
+        new ObjectStreamField("hashCode", int.class), };
+
     /**
      * WriteObject is called to save the state of the URL to an
      * ObjectOutputStream. The handler is not saved since it is
@@ -1241,16 +1273,67 @@ public final class URL implements java.io.Serializable {
      * stream handler.
      */
     private synchronized void readObject(java.io.ObjectInputStream s)
-         throws IOException, ClassNotFoundException
-    {
-        s.defaultReadObject();  // read the fields
-        if ((handler = getURLStreamHandler(protocol)) == null) {
+            throws IOException, ClassNotFoundException {
+        GetField gf = s.readFields();
+        String protocol = (String)gf.get("protocol", null);
+        if (getURLStreamHandler(protocol) == null) {
             throw new IOException("unknown protocol: " + protocol);
         }
+        String host = (String)gf.get("host", null);
+        int port = gf.get("port", -1);
+        String authority = (String)gf.get("authority", null);
+        String file = (String)gf.get("file", null);
+        String ref = (String)gf.get("ref", null);
+        int hashCode = gf.get("hashCode", -1);
+        if (authority == null
+                && ((host != null && host.length() > 0) || port != -1)) {
+            if (host == null)
+                host = "";
+            authority = (port == -1) ? host : host + ":" + port;
+        }
+        tempState = new UrlDeserializedState(protocol, host, port, authority,
+               file, ref, hashCode);
+    }
+
+    /**
+     * Replaces the de-serialized object with an URL object.
+     *
+     * @return a newly created object from the deserialzed state.
+     *
+     * @throws ObjectStreamException if a new object replacing this
+     * object could not be created
+     */
+
+   private Object readResolve() throws ObjectStreamException {
+
+        URLStreamHandler handler = null;
+        // already been checked in readObject
+        handler = getURLStreamHandler(tempState.getProtocol());
+
+        URL replacementURL = null;
+        if (isBuiltinStreamHandler(handler.getClass().getName())) {
+            replacementURL = fabricateNewURL();
+        } else {
+            replacementURL = setDeserializedFields(handler);
+        }
+        return replacementURL;
+    }
+
+    private URL setDeserializedFields(URLStreamHandler handler) {
+        URL replacementURL;
+        String userInfo = null;
+        String protocol = tempState.getProtocol();
+        String host = tempState.getHost();
+        int port = tempState.getPort();
+        String authority = tempState.getAuthority();
+        String file = tempState.getFile();
+        String ref = tempState.getRef();
+        int hashCode = tempState.getHashCode();
+
 
         // Construct authority part
-        if (authority == null &&
-            ((host != null && host.length() > 0) || port != -1)) {
+        if (authority == null
+            && ((host != null && host.length() > 0) || port != -1)) {
             if (host == null)
                 host = "";
             authority = (port == -1) ? host : host + ":" + port;
@@ -1269,8 +1352,8 @@ public final class URL implements java.io.Serializable {
         }
 
         // Construct path and query part
-        path = null;
-        query = null;
+        String path = null;
+        String query = null;
         if (file != null) {
             // Fix: only do this if hierarchical?
             int q = file.lastIndexOf('?');
@@ -1280,6 +1363,67 @@ public final class URL implements java.io.Serializable {
             } else
                 path = file;
         }
+
+        if (port == -1) {
+            port = 0;
+        }
+        // Set the object fields.
+        this.protocol = protocol;
+        this.host = host;
+        this.port = port;
+        this.file = file;
+        this.authority = authority;
+        this.ref = ref;
+        this.hashCode = hashCode;
+        this.handler = handler;
+        this.query = query;
+        this.path = path;
+        this.userInfo = userInfo;
+        replacementURL = this;
+        return replacementURL;
+    }
+
+    private URL fabricateNewURL()
+                throws InvalidObjectException {
+        // create URL string from deserialized object
+        URL replacementURL = null;
+        String urlString = tempState.reconstituteUrlString();
+
+        try {
+            replacementURL = new URL(urlString);
+        } catch (MalformedURLException mEx) {
+            resetState();
+            InvalidObjectException invoEx = new InvalidObjectException(
+                    "Malformed URL: " + urlString);
+            invoEx.initCause(mEx);
+            throw invoEx;
+        }
+        replacementURL.setSerializedHashCode(tempState.getHashCode());
+        resetState();
+        return replacementURL;
+    }
+
+    private boolean isBuiltinStreamHandler(String handlerClassName) {
+        return (handlerClassName.startsWith(BUILTIN_HANDLERS_PREFIX));
+    }
+
+    private void resetState() {
+        this.protocol = null;
+        this.host = null;
+        this.port = -1;
+        this.file = null;
+        this.authority = null;
+        this.ref = null;
+        this.hashCode = -1;
+        this.handler = null;
+        this.query = null;
+        this.path = null;
+        this.userInfo = null;
+        this.tempState = null;
+    }
+
+    private void setSerializedHashCode(int hc) {
+        this.hashCode = hc;
     }
 }
 
@@ -1311,3 +1455,82 @@ class Parts {
         return ref;
     }
 }
+
+final class UrlDeserializedState {
+    private final String protocol;
+    private final String host;
+    private final int port;
+    private final String authority;
+    private final String file;
+    private final String ref;
+    private final int hashCode;
+
+    public UrlDeserializedState(String protocol,
+                                String host, int port,
+                                String authority, String file,
+                                String ref, int hashCode) {
+        this.protocol = protocol;
+        this.host = host;
+        this.port = port;
+        this.authority = authority;
+        this.file = file;
+        this.ref = ref;
+        this.hashCode = hashCode;
+    }
+
+    String getProtocol() {
+        return protocol;
+    }
+
+    String getHost() {
+        return host;
+    }
+
+    String getAuthority () {
+        return authority;
+    }
+
+    int getPort() {
+        return port;
+    }
+
+    String getFile () {
+        return file;
+    }
+
+    String getRef () {
+        return ref;
+    }
+
+    int getHashCode () {
+        return hashCode;
+    }
+
+    String reconstituteUrlString() {
+
+        // pre-compute length of StringBuilder
+        int len = protocol.length() + 1;
+        if (authority != null && authority.length() > 0)
+            len += 2 + authority.length();
+        if (file != null) {
+            len += file.length();
+        }
+        if (ref != null)
+            len += 1 + ref.length();
+        StringBuilder result = new StringBuilder(len);
+        result.append(protocol);
+        result.append(":");
+        if (authority != null && authority.length() > 0) {
+            result.append("//");
+            result.append(authority);
+        }
+        if (file != null) {
+            result.append(file);
+        }
+        if (ref != null) {
+            result.append("#");
+            result.append(ref);
+        }
+        return result.toString();
+    }
+}

src/share/classes/javax/management/remote/rmi/RMIConnectionImpl.java

@@ -361,7 +361,6 @@ public class RMIConnectionImpl implements RMIConnection, Unreferenced {
                              "connectionId=" + connectionId
                              +", className=" + className
                              +", name=" + name
-                             +", params=" + objects(values)
                              +", signature=" + strings(signature));
 
             return (ObjectInstance)
@@ -427,7 +426,6 @@ public class RMIConnectionImpl implements RMIConnection, Unreferenced {
                  +", className=" + className
                  +", name=" + name
                  +", loaderName=" + loaderName
-                 +", params=" + objects(values)
                  +", signature=" + strings(signature));
 
             return (ObjectInstance)
@@ -719,7 +717,7 @@ public class RMIConnectionImpl implements RMIConnection, Unreferenced {
             if (debug) logger.debug("setAttribute",
                              "connectionId=" + connectionId
                              +", name="+name
-                             +", attribute="+attr);
+                             +", attribute name="+attr.getName());
 
             doPrivilegedOperation(
               SET_ATTRIBUTE,
@@ -770,7 +768,7 @@ public class RMIConnectionImpl implements RMIConnection, Unreferenced {
             if (debug) logger.debug("setAttributes",
                              "connectionId=" + connectionId
                              +", name="+name
-                             +", attributes="+attrlist);
+                             +", attribute names="+RMIConnector.getAttributesNames(attrlist));
 
             return (AttributeList)
                 doPrivilegedOperation(
@@ -825,7 +823,6 @@ public class RMIConnectionImpl implements RMIConnection, Unreferenced {
                              "connectionId=" + connectionId
                              +", name="+name
                              +", operationName="+operationName
-                             +", params="+objects(values)
                              +", signature="+strings(signature));
 
             return

src/share/classes/javax/management/remote/rmi/RMIConnector.java

@@ -41,7 +41,6 @@ import java.io.NotSerializableException;
 import java.io.ObjectInputStream;
 import java.io.ObjectStreamClass;
 import java.io.Serializable;
-import java.io.WriteAbortedException;
 import java.lang.ref.WeakReference;
 import java.lang.reflect.Constructor;
 import java.lang.reflect.InvocationHandler;
@@ -70,6 +69,7 @@ import java.util.Map;
 import java.util.Properties;
 import java.util.Set;
 import java.util.WeakHashMap;
+import java.util.stream.Collectors;
 import javax.management.Attribute;
 import javax.management.AttributeList;
 import javax.management.AttributeNotFoundException;
@@ -712,9 +712,7 @@ public class RMIConnector implements JMXConnector, Serializable, JMXAddressable
             if (logger.debugOn())
                 logger.debug("createMBean(String,ObjectName,Object[],String[])",
                         "className=" + className + ", name="
-                        + name + ", params="
-                        + objects(params) + ", signature="
-                        + strings(signature));
+                        + name + ", signature=" + strings(signature));
 
             final MarshalledObject<Object[]> sParams =
                     new MarshalledObject<Object[]>(params);
@@ -753,8 +751,7 @@ public class RMIConnector implements JMXConnector, Serializable, JMXAddressable
             if (logger.debugOn()) logger.debug(
                     "createMBean(String,ObjectName,ObjectName,Object[],String[])",
                     "className=" + className + ", name=" + name + ", loaderName="
-                    + loaderName + ", params=" + objects(params)
-                    + ", signature=" + strings(signature));
+                    + loaderName + ", signature=" + strings(signature));
 
             final MarshalledObject<Object[]> sParams =
                     new MarshalledObject<Object[]>(params);
@@ -954,8 +951,8 @@ public class RMIConnector implements JMXConnector, Serializable, JMXAddressable
                 IOException {
 
             if (logger.debugOn()) logger.debug("setAttribute",
-                    "name=" + name + ", attribute="
-                    + attribute);
+                    "name=" + name + ", attribute name="
+                    + attribute.getName());
 
             final MarshalledObject<Attribute> sAttribute =
                     new MarshalledObject<Attribute>(attribute);
@@ -977,9 +974,11 @@ public class RMIConnector implements JMXConnector, Serializable, JMXAddressable
                 ReflectionException,
                 IOException {
 
-            if (logger.debugOn()) logger.debug("setAttributes",
-                    "name=" + name + ", attributes="
-                    + attributes);
+            if (logger.debugOn()) {
+                logger.debug("setAttributes",
+                    "name=" + name + ", attribute names="
+                    + getAttributesNames(attributes));
+            }
 
             final MarshalledObject<AttributeList> sAttributes =
                     new MarshalledObject<AttributeList>(attributes);
@@ -1012,7 +1011,6 @@ public class RMIConnector implements JMXConnector, Serializable, JMXAddressable
             if (logger.debugOn()) logger.debug("invoke",
                     "name=" + name
                     + ", operationName=" + operationName
-                    + ", params=" + objects(params)
                     + ", signature=" + strings(signature));
 
             final MarshalledObject<Object[]> sParams =
@@ -2636,4 +2634,12 @@ public class RMIConnector implements JMXConnector, Serializable, JMXAddressable
     private static String strings(final String[] strs) {
         return objects(strs);
     }
+
+    static String getAttributesNames(AttributeList attributes) {
+        return attributes != null ?
+                attributes.asList().stream()
+                        .map(Attribute::getName)
+                        .collect(Collectors.joining("[", ", ", "]"))
+                : "[]";
+    }
 }

src/share/classes/sun/management/GarbageCollectorImpl.java

@@ -102,17 +102,13 @@ class GarbageCollectorImpl extends MemoryManagerImpl
         GarbageCollectionNotificationInfo.GARBAGE_COLLECTION_NOTIFICATION
     };
 
-    private MBeanNotificationInfo[] notifInfo = null;
+    @Override
     public MBeanNotificationInfo[] getNotificationInfo() {
-        synchronized (this) {
-            if (notifInfo == null) {
-                 notifInfo = new MBeanNotificationInfo[1];
-                 notifInfo[0] = new MBeanNotificationInfo(gcNotifTypes,
-                                                          notifName,
-                                                          "GC Notification");
-            }
-        }
-        return notifInfo;
+        return new MBeanNotificationInfo[]{
+            new MBeanNotificationInfo(gcNotifTypes,
+            notifName,
+            "GC Notification")
+        };
     }
 
     private static long seqNumber = 0;

src/share/classes/sun/management/MemoryImpl.java

@@ -115,17 +115,10 @@ class MemoryImpl extends NotificationEmitterSupport
         "Memory usage exceeds collection usage threshold"
     };
 
-    private MBeanNotificationInfo[] notifInfo = null;
     public MBeanNotificationInfo[] getNotificationInfo() {
-        synchronized (this) {
-            if (notifInfo == null) {
-                 notifInfo = new MBeanNotificationInfo[1];
-                 notifInfo[0] = new MBeanNotificationInfo(notifTypes,
-                                                          notifName,
-                                                          "Memory Notification");
-            }
-        }
-        return notifInfo;
+        return new MBeanNotificationInfo[] {
+            new MBeanNotificationInfo(notifTypes, notifName, "Memory Notification")
+        };
     }
 
     private static String getNotifMsg(String notifType) {

src/share/classes/sun/reflect/annotation/AnnotationInvocationHandler.java

@@ -25,6 +25,7 @@
 
 package sun.reflect.annotation;
 
+import java.io.ObjectInputStream;
 import java.lang.annotation.*;
 import java.lang.reflect.*;
 import java.io.Serializable;
@@ -425,35 +426,72 @@ class AnnotationInvocationHandler implements InvocationHandler, Serializable {
 
     private void readObject(java.io.ObjectInputStream s)
         throws java.io.IOException, ClassNotFoundException {
-        s.defaultReadObject();
+        ObjectInputStream.GetField fields = s.readFields();
+
+        @SuppressWarnings("unchecked")
+        Class<? extends Annotation> t = (Class<? extends Annotation>)fields.get("type", null);
+        @SuppressWarnings("unchecked")
+        Map<String, Object> streamVals = (Map<String, Object>)fields.get("memberValues", null);
 
         // Check to make sure that types have not evolved incompatibly
 
         AnnotationType annotationType = null;
         try {
-            annotationType = AnnotationType.getInstance(type);
+            annotationType = AnnotationType.getInstance(t);
         } catch(IllegalArgumentException e) {
             // Class is no longer an annotation type; time to punch out
             throw new java.io.InvalidObjectException("Non-annotation type in annotation serial stream");
         }
 
         Map<String, Class<?>> memberTypes = annotationType.memberTypes();
+        // consistent with runtime Map type
+        Map<String, Object> mv = new LinkedHashMap<>();
 
         // If there are annotation members without values, that
         // situation is handled by the invoke method.
-        for (Map.Entry<String, Object> memberValue : memberValues.entrySet()) {
+        for (Map.Entry<String, Object> memberValue : streamVals.entrySet()) {
             String name = memberValue.getKey();
+            Object value = null;
             Class<?> memberType = memberTypes.get(name);
             if (memberType != null) {  // i.e. member still exists
-                Object value = memberValue.getValue();
+                value = memberValue.getValue();
                 if (!(memberType.isInstance(value) ||
                       value instanceof ExceptionProxy)) {
-                    memberValue.setValue(
-                        new AnnotationTypeMismatchExceptionProxy(
+                    value = new AnnotationTypeMismatchExceptionProxy(
                             value.getClass() + "[" + value + "]").setMember(
-                                annotationType.members().get(name)));
+                                annotationType.members().get(name));
                 }
             }
+            mv.put(name, value);
+        }
+
+        UnsafeAccessor.setType(this, t);
+        UnsafeAccessor.setMemberValues(this, mv);
+    }
+
+    private static class UnsafeAccessor {
+        private static final sun.misc.Unsafe unsafe;
+        private static final long typeOffset;
+        private static final long memberValuesOffset;
+        static {
+            try {
+                unsafe = sun.misc.Unsafe.getUnsafe();
+                typeOffset = unsafe.objectFieldOffset
+                        (AnnotationInvocationHandler.class.getDeclaredField("type"));
+                memberValuesOffset = unsafe.objectFieldOffset
+                        (AnnotationInvocationHandler.class.getDeclaredField("memberValues"));
+            } catch (Exception ex) {
+                throw new ExceptionInInitializerError(ex);
+            }
+        }
+        static void setType(AnnotationInvocationHandler o,
+                            Class<? extends Annotation> type) {
+            unsafe.putObject(o, typeOffset, type);
+        }
+
+        static void setMemberValues(AnnotationInvocationHandler o,
+                                    Map<String, Object> memberValues) {
+            unsafe.putObject(o, memberValuesOffset, memberValues);
         }
     }
 }

src/share/classes/sun/security/internal/spec/TlsRsaPremasterSecretParameterSpec.java

@@ -43,6 +43,8 @@ import java.security.PrivilegedAction;
 public class TlsRsaPremasterSecretParameterSpec
         implements AlgorithmParameterSpec {
 
+    private final byte[] encodedSecret;
+
     /*
      * The TLS spec says that the version in the RSA premaster secret must
      * be the maximum version supported by the client (i.e. the version it
@@ -89,6 +91,33 @@ public class TlsRsaPremasterSecretParameterSpec
 
         this.clientVersion = checkVersion(clientVersion);
         this.serverVersion = checkVersion(serverVersion);
+        this.encodedSecret = null;
+    }
+
+    /**
+     * Constructs a new TlsRsaPremasterSecretParameterSpec.
+     *
+     * @param clientVersion the version of the TLS protocol by which the
+     *        client wishes to communicate during this session
+     * @param serverVersion the negotiated version of the TLS protocol which
+     *        contains the lower of that suggested by the client in the client
+     *        hello and the highest supported by the server.
+     * @param encodedSecret the encoded secret key
+     *
+     * @throws IllegalArgumentException if clientVersion or serverVersion are
+     *   negative or larger than (2^16 - 1) or if encodedSecret is not
+     *   exactly 48 bytes
+     */
+    public TlsRsaPremasterSecretParameterSpec(
+            int clientVersion, int serverVersion, byte[] encodedSecret) {
+
+        this.clientVersion = checkVersion(clientVersion);
+        this.serverVersion = checkVersion(serverVersion);
+        if (encodedSecret == null || encodedSecret.length != 48) {
+            throw new IllegalArgumentException(
+                        "Encoded secret is not exactly 48 bytes");
+        }
+        this.encodedSecret = encodedSecret.clone();
     }
 
     /**
@@ -147,4 +176,13 @@ public class TlsRsaPremasterSecretParameterSpec
         }
         return version;
     }
+
+    /**
+     * Returns the encoded secret.
+     *
+     * @return the encoded secret, may be null if no encoded secret.
+     */
+    public byte[] getEncodedSecret() {
+        return encodedSecret == null ? null : encodedSecret.clone();
+    }
 }

src/share/classes/sun/security/jca/JCAUtil.java

 /*
- * Copyright (c) 2003, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -41,12 +41,6 @@ public final class JCAUtil {
         // no instantiation
     }
 
-    // lock to use for synchronization
-    private static final Object LOCK = JCAUtil.class;
-
-    // cached SecureRandom instance
-    private static volatile SecureRandom secureRandom;
-
     // size of the temporary arrays we use. Should fit into the CPU's 1st
     // level cache and could be adjusted based on the platform
     private final static int ARRAY_SIZE = 4096;
@@ -60,26 +54,19 @@ public final class JCAUtil {
         return Math.min(ARRAY_SIZE, totalSize);
     }
 
+    // cached SecureRandom instance
+    private static class CachedSecureRandomHolder {
+        public static SecureRandom instance = new SecureRandom();
+    }
+
     /**
-     * Get a SecureRandom instance. This method should me used by JDK
+     * Get a SecureRandom instance. This method should be used by JDK
      * internal code in favor of calling "new SecureRandom()". That needs to
      * iterate through the provider table to find the default SecureRandom
      * implementation, which is fairly inefficient.
      */
     public static SecureRandom getSecureRandom() {
-        // we use double checked locking to minimize synchronization
-        // works because we use a volatile reference
-        SecureRandom r = secureRandom;
-        if (r == null) {
-            synchronized (LOCK) {
-                r = secureRandom;
-                if (r == null) {
-                    r = new SecureRandom();
-                    secureRandom = r;
-                }
-            }
-        }
-        return r;
+        return CachedSecureRandomHolder.instance;
     }
 
 }

src/share/classes/sun/security/pkcs11/P11Cipher.java

@@ -35,6 +35,7 @@ import javax.crypto.*;
 import javax.crypto.spec.*;
 
 import sun.nio.ch.DirectBuffer;
+import sun.security.jca.JCAUtil;
 import sun.security.pkcs11.wrapper.*;
 import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
 
@@ -379,7 +380,7 @@ final class P11Cipher extends CipherSpi {
                 }
                 // generate random IV
                 if (random == null) {
-                    random = new SecureRandom();
+                    random = JCAUtil.getSecureRandom();
                 }
                 iv = new byte[blockSize];
                 random.nextBytes(iv);

src/share/classes/sun/security/pkcs11/P11RSACipher.java

@@ -468,49 +468,49 @@ final class P11RSACipher extends CipherSpi {
                 algorithm.equals("TlsRsaPremasterSecret");
         Exception failover = null;
 
-        SecureRandom secureRandom = random;
-        if (secureRandom == null && isTlsRsaPremasterSecret) {
-            secureRandom = new SecureRandom();
-        }
-
         // Should C_Unwrap be preferred for non-TLS RSA premaster secret?
         if (token.supportsRawSecretKeyImport()) {
             // XXX implement unwrap using C_Unwrap() for all keys
             implInit(Cipher.DECRYPT_MODE, p11Key);
-            if (wrappedKey.length > maxInputSize) {
-                throw new InvalidKeyException("Key is too long for unwrapping");
-            }
-
-            byte[] encoded = null;
-            implUpdate(wrappedKey, 0, wrappedKey.length);
             try {
-                encoded = doFinal();
-            } catch (BadPaddingException e) {
-                if (isTlsRsaPremasterSecret) {
-                    failover = e;
-                } else {
+                if (wrappedKey.length > maxInputSize) {
+                    throw new InvalidKeyException("Key is too long for unwrapping");
+                }
+
+                byte[] encoded = null;
+                implUpdate(wrappedKey, 0, wrappedKey.length);
+                try {
+                    encoded = doFinal();
+                } catch (BadPaddingException e) {
+                    if (isTlsRsaPremasterSecret) {
+                        failover = e;
+                    } else {
+                        throw new InvalidKeyException("Unwrapping failed", e);
+                    }
+                } catch (IllegalBlockSizeException e) {
+                    // should not occur, handled with length check above
                     throw new InvalidKeyException("Unwrapping failed", e);
                 }
-            } catch (IllegalBlockSizeException e) {
-                // should not occur, handled with length check above
-                throw new InvalidKeyException("Unwrapping failed", e);
-            }
 
-            if (isTlsRsaPremasterSecret) {
-                if (!(spec instanceof TlsRsaPremasterSecretParameterSpec)) {
-                    throw new IllegalStateException(
-                            "No TlsRsaPremasterSecretParameterSpec specified");
+                if (isTlsRsaPremasterSecret) {
+                    if (!(spec instanceof TlsRsaPremasterSecretParameterSpec)) {
+                        throw new IllegalStateException(
+                                "No TlsRsaPremasterSecretParameterSpec specified");
+                    }
+
+                    // polish the TLS premaster secret
+                    TlsRsaPremasterSecretParameterSpec psps =
+                            (TlsRsaPremasterSecretParameterSpec)spec;
+                    encoded = KeyUtil.checkTlsPreMasterSecretKey(
+                            psps.getClientVersion(), psps.getServerVersion(),
+                            random, encoded, (failover != null));
                 }
 
-                // polish the TLS premaster secret
-                TlsRsaPremasterSecretParameterSpec psps =
-                        (TlsRsaPremasterSecretParameterSpec)spec;
-                encoded = KeyUtil.checkTlsPreMasterSecretKey(
-                        psps.getClientVersion(), psps.getServerVersion(),
-                        secureRandom, encoded, (failover != null));
+                return ConstructKeys.constructKey(encoded, algorithm, type);
+            } finally {
+                // Restore original mode
+                implInit(Cipher.UNWRAP_MODE, p11Key);
             }
-
-            return ConstructKeys.constructKey(encoded, algorithm, type);
         } else {
             Session s = null;
             SecretKey secretKey = null;
@@ -538,20 +538,13 @@ final class P11RSACipher extends CipherSpi {
                 }
 
                 if (isTlsRsaPremasterSecret) {
-                    byte[] replacer = new byte[48];
-                    if (failover == null) {
-                        // Does smart compiler dispose this operation?
-                        secureRandom.nextBytes(replacer);
-                    }
-
                     TlsRsaPremasterSecretParameterSpec psps =
                             (TlsRsaPremasterSecretParameterSpec)spec;
 
-                    // Please use the tricky failover and replacer byte array
-                    // as the parameters so that smart compiler won't dispose
-                    // the unused variable .
+                    // Please use the tricky failover as the parameter so that
+                    // smart compiler won't dispose the unused variable.
                     secretKey = polishPreMasterSecretKey(token, s,
-                            failover, replacer, secretKey,
+                            failover, secretKey,
                             psps.getClientVersion(), psps.getServerVersion());
                 }
 
@@ -570,29 +563,27 @@ final class P11RSACipher extends CipherSpi {
 
     private static SecretKey polishPreMasterSecretKey(
             Token token, Session session,
-            Exception failover, byte[] replacer, SecretKey secretKey,
+            Exception failover, SecretKey unwrappedKey,
             int clientVersion, int serverVersion) {
 
-        if (failover != null) {
-            CK_VERSION version = new CK_VERSION(
-                    (clientVersion >>> 8) & 0xFF, clientVersion & 0xFF);
-            try {
-                CK_ATTRIBUTE[] attributes = token.getAttributes(
-                        O_GENERATE, CKO_SECRET_KEY,
-                        CKK_GENERIC_SECRET, new CK_ATTRIBUTE[0]);
-                long keyID = token.p11.C_GenerateKey(session.id(),
-                    // new CK_MECHANISM(CKM_TLS_PRE_MASTER_KEY_GEN, version),
-                        new CK_MECHANISM(CKM_SSL3_PRE_MASTER_KEY_GEN, version),
-                        attributes);
-                return P11Key.secretKey(session,
-                        keyID, "TlsRsaPremasterSecret", 48 << 3, attributes);
-            } catch (PKCS11Exception e) {
-                throw new ProviderException(
-                        "Could not generate premaster secret", e);
-            }
+        SecretKey newKey;
+        CK_VERSION version = new CK_VERSION(
+                (clientVersion >>> 8) & 0xFF, clientVersion & 0xFF);
+        try {
+            CK_ATTRIBUTE[] attributes = token.getAttributes(
+                    O_GENERATE, CKO_SECRET_KEY,
+                    CKK_GENERIC_SECRET, new CK_ATTRIBUTE[0]);
+            long keyID = token.p11.C_GenerateKey(session.id(),
+                    new CK_MECHANISM(CKM_SSL3_PRE_MASTER_KEY_GEN, version),
+                    attributes);
+            newKey = P11Key.secretKey(session,
+                    keyID, "TlsRsaPremasterSecret", 48 << 3, attributes);
+        } catch (PKCS11Exception e) {
+            throw new ProviderException(
+                    "Could not generate premaster secret", e);
         }
 
-        return secretKey;
+        return (failover == null) ? unwrappedKey : newKey;
     }
 
 }

src/share/classes/sun/security/ssl/ClientHandshaker.java

@@ -269,7 +269,7 @@ final class ClientHandshaker extends Handshaker {
                         input, serverKey,
                         clnt_random.random_bytes, svr_random.random_bytes,
                         messageLen,
-                        localSupportedSignAlgs, protocolVersion));
+                        getLocalSupportedSignAlgs(), protocolVersion));
                 } catch (GeneralSecurityException e) {
                     throwSSLException("Server key", e);
                 }
@@ -281,7 +281,7 @@ final class ClientHandshaker extends Handshaker {
                     this.serverKeyExchange(new ECDH_ServerKeyExchange
                         (input, serverKey, clnt_random.random_bytes,
                         svr_random.random_bytes,
-                        localSupportedSignAlgs, protocolVersion));
+                        getLocalSupportedSignAlgs(), protocolVersion));
                 } catch (GeneralSecurityException e) {
                     throwSSLException("Server key", e);
                 }
@@ -331,7 +331,7 @@ final class ClientHandshaker extends Handshaker {
 
                 Collection<SignatureAndHashAlgorithm> supportedPeerSignAlgs =
                     SignatureAndHashAlgorithm.getSupportedAlgorithms(
-                                                            peerSignAlgs);
+                            algorithmConstraints, peerSignAlgs);
                 if (supportedPeerSignAlgs.isEmpty()) {
                     throw new SSLHandshakeException(
                         "No supported signature and hash algorithm in common");
@@ -1094,8 +1094,8 @@ final class ClientHandshaker extends Handshaker {
                 if (protocolVersion.v >= ProtocolVersion.TLS12.v) {
                     preferableSignatureAlgorithm =
                         SignatureAndHashAlgorithm.getPreferableAlgorithm(
-                            peerSupportedSignAlgs, signingKey.getAlgorithm(),
-                            signingKey);
+                            getPeerSupportedSignAlgs(),
+                            signingKey.getAlgorithm(), signingKey);
 
                     if (preferableSignatureAlgorithm == null) {
                         throw new SSLHandshakeException(

src/share/classes/sun/security/ssl/HandshakeMessage.java

@@ -1557,7 +1557,7 @@ static final class CertificateVerify extends HandshakeMessage {
     // the signature bytes
     private byte[] signature;
 
-    // protocol version being established using this ServerKeyExchange message
+    // protocol version being established using this CertificateVerify message
     ProtocolVersion protocolVersion;
 
     // the preferable signature algorithm used by this CertificateVerify message
@@ -1610,7 +1610,7 @@ static final class CertificateVerify extends HandshakeMessage {
                     preferableSignatureAlgorithm)) {
                 throw new SSLHandshakeException(
                         "Unsupported SignatureAndHashAlgorithm in " +
-                        "ServerKeyExchange message");
+                        "CertificateVerify message");
             }
         }
 

src/share/classes/sun/security/ssl/Handshaker.java

@@ -89,7 +89,7 @@ abstract class Handshaker {
     AlgorithmConstraints algorithmConstraints = null;
 
     // Local supported signature and algorithms
-    Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs;
+    private Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs;
 
     // Peer supported signature and algorithms
     Collection<SignatureAndHashAlgorithm> peerSupportedSignAlgs;

src/share/classes/sun/security/ssl/RSAClientKeyExchange.java

@@ -111,14 +111,34 @@ final class RSAClientKeyExchange extends HandshakeMessage {
             }
         }
 
+        byte[] encoded = null;
         try {
             Cipher cipher = JsseJce.getCipher(JsseJce.CIPHER_RSA_PKCS1);
-            cipher.init(Cipher.UNWRAP_MODE, privateKey,
-                    new TlsRsaPremasterSecretParameterSpec(
-                            maxVersion.v, currentVersion.v),
-                    generator);
-            preMaster = (SecretKey)cipher.unwrap(encrypted,
-                                "TlsRsaPremasterSecret", Cipher.SECRET_KEY);
+            boolean needFailover = !KeyUtil.isOracleJCEProvider(
+                    cipher.getProvider().getName());
+            if (needFailover) {
+                cipher.init(Cipher.DECRYPT_MODE, privateKey);
+                boolean failed = false;
+                try {
+                    encoded = cipher.doFinal(encrypted);
+                } catch (BadPaddingException bpe) {
+                    // Note: encoded == null
+                    failed = true;
+                }
+                encoded = KeyUtil.checkTlsPreMasterSecretKey(
+                                maxVersion.v, currentVersion.v,
+                                generator, encoded, failed);
+                preMaster = generatePreMasterSecret(
+                                maxVersion.v, currentVersion.v,
+                                encoded, generator);
+            } else {
+                cipher.init(Cipher.UNWRAP_MODE, privateKey,
+                        new TlsRsaPremasterSecretParameterSpec(
+                                maxVersion.v, currentVersion.v),
+                        generator);
+                preMaster = (SecretKey)cipher.unwrap(encrypted,
+                        "TlsRsaPremasterSecret", Cipher.SECRET_KEY);
+            }
         } catch (InvalidKeyException ibk) {
             // the message is too big to process with RSA
             throw new SSLProtocolException(
@@ -133,6 +153,35 @@ final class RSAClientKeyExchange extends HandshakeMessage {
         }
     }
 
+    // generate a premaster secret with the specified version number
+    @SuppressWarnings("deprecation")
+    private static SecretKey generatePreMasterSecret(
+            int clientVersion, int serverVersion,
+            byte[] encodedSecret, SecureRandom generator) {
+
+        if (debug != null && Debug.isOn("handshake")) {
+            System.out.println("Generating a premaster secret");
+        }
+
+        try {
+            String s = ((clientVersion >= ProtocolVersion.TLS12.v) ?
+                "SunTls12RsaPremasterSecret" : "SunTlsRsaPremasterSecret");
+            KeyGenerator kg = JsseJce.getKeyGenerator(s);
+            kg.init(new TlsRsaPremasterSecretParameterSpec(
+                    clientVersion, serverVersion, encodedSecret),
+                    generator);
+            return kg.generateKey();
+        } catch (InvalidAlgorithmParameterException |
+                NoSuchAlgorithmException iae) {
+            // unlikely to happen, otherwise, must be a provider exception
+            if (debug != null && Debug.isOn("handshake")) {
+                System.out.println("RSA premaster secret generation error:");
+                iae.printStackTrace(System.out);
+            }
+            throw new RuntimeException("Could not generate premaster secret", iae);
+        }
+    }
+
     @Override
     int messageType() {
         return ht_client_key_exchange;

src/share/classes/sun/security/ssl/ServerHandshaker.java

@@ -291,7 +291,7 @@ final class ServerHandshaker extends Handshaker {
 
             case HandshakeMessage.ht_certificate_verify:
                 this.clientCertificateVerify(new CertificateVerify(input,
-                            localSupportedSignAlgs, protocolVersion));
+                            getLocalSupportedSignAlgs(), protocolVersion));
                 break;
 
             case HandshakeMessage.ht_finished:
@@ -700,11 +700,10 @@ final class ServerHandshaker extends Handshaker {
                     Collection<SignatureAndHashAlgorithm>
                         supportedPeerSignAlgs =
                             SignatureAndHashAlgorithm.getSupportedAlgorithms(
-                                                            peerSignAlgs);
+                                algorithmConstraints, peerSignAlgs);
                     if (supportedPeerSignAlgs.isEmpty()) {
                         throw new SSLHandshakeException(
-                            "No supported signature and hash algorithm " +
-                            "in common");
+                            "No signature and hash algorithm in common");
                     }
 
                     setPeerSupportedSignAlgs(supportedPeerSignAlgs);
@@ -1134,6 +1133,13 @@ final class ServerHandshaker extends Handshaker {
                     supportedSignAlgs =
                         new ArrayList<SignatureAndHashAlgorithm>(1);
                     supportedSignAlgs.add(algorithm);
+
+                    supportedSignAlgs =
+                            SignatureAndHashAlgorithm.getSupportedAlgorithms(
+                                algorithmConstraints, supportedSignAlgs);
+
+                    // May be no default activated signature algorithm, but
+                    // let the following process make the final decision.
                 }
 
                 // Sets the peer supported signature algorithm to use in KM
@@ -1178,6 +1184,11 @@ final class ServerHandshaker extends Handshaker {
                     SignatureAndHashAlgorithm.getPreferableAlgorithm(
                                         supportedSignAlgs, "RSA", privateKey);
                 if (preferableSignatureAlgorithm == null) {
+                    if ((debug != null) && Debug.isOn("handshake")) {
+                        System.out.println(
+                                "No signature and hash algorithm for cipher " +
+                                suite);
+                    }
                     return false;
                 }
             }
@@ -1196,6 +1207,11 @@ final class ServerHandshaker extends Handshaker {
                     SignatureAndHashAlgorithm.getPreferableAlgorithm(
                                         supportedSignAlgs, "RSA", privateKey);
                 if (preferableSignatureAlgorithm == null) {
+                    if ((debug != null) && Debug.isOn("handshake")) {
+                        System.out.println(
+                                "No signature and hash algorithm for cipher " +
+                                suite);
+                    }
                     return false;
                 }
             }
@@ -1211,6 +1227,11 @@ final class ServerHandshaker extends Handshaker {
                     SignatureAndHashAlgorithm.getPreferableAlgorithm(
                                                 supportedSignAlgs, "DSA");
                 if (preferableSignatureAlgorithm == null) {
+                    if ((debug != null) && Debug.isOn("handshake")) {
+                        System.out.println(
+                                "No signature and hash algorithm for cipher " +
+                                suite);
+                    }
                     return false;
                 }
             }
@@ -1229,6 +1250,11 @@ final class ServerHandshaker extends Handshaker {
                     SignatureAndHashAlgorithm.getPreferableAlgorithm(
                                             supportedSignAlgs, "ECDSA");
                 if (preferableSignatureAlgorithm == null) {
+                    if ((debug != null) && Debug.isOn("handshake")) {
+                        System.out.println(
+                                "No signature and hash algorithm for cipher " +
+                                suite);
+                    }
                     return false;
                 }
             }
@@ -1274,7 +1300,8 @@ final class ServerHandshaker extends Handshaker {
             break;
         default:
             // internal error, unknown key exchange
-            throw new RuntimeException("Unrecognized cipherSuite: " + suite);
+            throw new RuntimeException(
+                    "Unrecognized cipherSuite: " + suite);
         }
         setCipherSuite(suite);
 

src/share/classes/sun/security/ssl/SignatureAndHashAlgorithm.java

@@ -166,10 +166,13 @@ final class SignatureAndHashAlgorithm {
 
     // Get supported algorithm collection from an untrusted collection
     static Collection<SignatureAndHashAlgorithm> getSupportedAlgorithms(
+            AlgorithmConstraints constraints,
             Collection<SignatureAndHashAlgorithm> algorithms ) {
         Collection<SignatureAndHashAlgorithm> supported = new ArrayList<>();
         for (SignatureAndHashAlgorithm sigAlg : algorithms) {
-            if (sigAlg.priority <= SUPPORTED_ALG_PRIORITY_MAX_NUM) {
+            if (sigAlg.priority <= SUPPORTED_ALG_PRIORITY_MAX_NUM &&
+                    constraints.permits(SIGNATURE_PRIMITIVE_SET,
+                                sigAlg.algorithm, null)) {
                 supported.add(sigAlg);
             }
         }
@@ -233,30 +236,42 @@ final class SignatureAndHashAlgorithm {
     }
 
     static SignatureAndHashAlgorithm getPreferableAlgorithm(
-        Collection<SignatureAndHashAlgorithm> algorithms,
-        String expected, PrivateKey signingKey) {
+            Collection<SignatureAndHashAlgorithm> algorithms,
+            String expected, PrivateKey signingKey) {
 
-        if (expected == null && !algorithms.isEmpty()) {
-            for (SignatureAndHashAlgorithm sigAlg : algorithms) {
-                if (sigAlg.priority <= SUPPORTED_ALG_PRIORITY_MAX_NUM) {
-                    return sigAlg;
+        int maxDigestLength = getMaxDigestLength(signingKey);
+        for (SignatureAndHashAlgorithm algorithm : algorithms) {
+            int signValue = algorithm.id & 0xFF;
+            if ((expected == null) ||
+                    (expected.equalsIgnoreCase("rsa") &&
+                            signValue == SignatureAlgorithm.RSA.value) ||
+                    (expected.equalsIgnoreCase("dsa") &&
+                            signValue == SignatureAlgorithm.DSA.value) ||
+                    (expected.equalsIgnoreCase("ecdsa") &&
+                            signValue == SignatureAlgorithm.ECDSA.value) ||
+                    (expected.equalsIgnoreCase("ec") &&
+                            signValue == SignatureAlgorithm.ECDSA.value)) {
+
+                if (algorithm.priority <= SUPPORTED_ALG_PRIORITY_MAX_NUM &&
+                        algorithm.hash.length <= maxDigestLength) {
+
+                    return algorithm;
                 }
             }
-
-            return null;  // no supported algorithm
         }
 
-        if (expected == null ) {
-            return null;  // no expected algorithm, no supported algorithm
-        }
+        return null;
+    }
 
-        /*
-         * Need to check RSA key length to match the length of hash value
-         */
+    /*
+     * Need to check key length to match the length of hash value
+     */
+    private static int getMaxDigestLength(PrivateKey signingKey) {
         int maxDigestLength = Integer.MAX_VALUE;
+
+        // only need to check RSA algorithm at present.
         if (signingKey != null &&
-                "rsa".equalsIgnoreCase(signingKey.getAlgorithm()) &&
-                expected.equalsIgnoreCase("rsa")) {
+                "rsa".equalsIgnoreCase(signingKey.getAlgorithm())) {
             /*
              * RSA keys of 512 bits have been shown to be practically
              * breakable, it does not make much sense to use the strong
@@ -284,25 +299,7 @@ final class SignatureAndHashAlgorithm {
                 // preferable hash algorithm.
         }
 
-        for (SignatureAndHashAlgorithm algorithm : algorithms) {
-            int signValue = algorithm.id & 0xFF;
-            if (expected.equalsIgnoreCase("rsa") &&
-                    signValue == SignatureAlgorithm.RSA.value) {
-                if (algorithm.hash.length <= maxDigestLength) {
-                    return algorithm;
-                }
-            } else if (
-                    (expected.equalsIgnoreCase("dsa") &&
-                        signValue == SignatureAlgorithm.DSA.value) ||
-                    (expected.equalsIgnoreCase("ecdsa") &&
-                        signValue == SignatureAlgorithm.ECDSA.value) ||
-                    (expected.equalsIgnoreCase("ec") &&
-                        signValue == SignatureAlgorithm.ECDSA.value)) {
-                return algorithm;
-            }
-        }
-
-        return null;
+        return maxDigestLength;
     }
 
     static enum HashAlgorithm {

src/share/classes/sun/security/util/KeyUtil.java

 /*
- * Copyright (c) 2012, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -41,6 +41,8 @@ import javax.crypto.spec.DHParameterSpec;
 import javax.crypto.spec.DHPublicKeySpec;
 import java.math.BigInteger;
 
+import sun.security.jca.JCAUtil;
+
 /**
  * A utility class to get key length, valiate keys, etc.
  */
@@ -144,8 +146,6 @@ public final class KeyUtil {
 
     /**
      * Returns whether the specified provider is Oracle provider or not.
-     * <P>
-     * Note that this method is only apply to SunJCE and SunPKCS11 at present.
      *
      * @param  providerName
      *         the provider name
@@ -153,8 +153,11 @@ public final class KeyUtil {
      *         {@code providerName} is Oracle provider
      */
     public static final boolean isOracleJCEProvider(String providerName) {
-        return providerName != null && (providerName.equals("SunJCE") ||
-                                        providerName.startsWith("SunPKCS11"));
+        return providerName != null &&
+                (providerName.equals("SunJCE") ||
+                    providerName.equals("SunMSCAPI") ||
+                    providerName.equals("OracleUcrypto") ||
+                    providerName.startsWith("SunPKCS11"));
     }
 
     /**
@@ -199,7 +202,7 @@ public final class KeyUtil {
             byte[] encoded, boolean isFailOver) {
 
         if (random == null) {
-            random = new SecureRandom();
+            random = JCAUtil.getSecureRandom();
         }
         byte[] replacer = new byte[48];
         random.nextBytes(replacer);

src/share/classes/sun/security/util/Resources_zh_CN.java

 /*
- * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -63,7 +63,7 @@ public class Resources_zh_CN extends java.util.ListResourceBundle {
                 "\u63D0\u4F9B\u4E86\u65E0\u6548\u7684\u7A7A AccessControlContext"},
         {"invalid.null.action.provided", "\u63D0\u4F9B\u4E86\u65E0\u6548\u7684\u7A7A\u64CD\u4F5C"},
         {"invalid.null.Class.provided", "\u63D0\u4F9B\u4E86\u65E0\u6548\u7684\u7A7A\u7C7B"},
-        {"Subject.", "\u4E3B\u9898: \n"},
+        {"Subject.", "\u4E3B\u4F53: \n"},
         {".Principal.", "\t\u4E3B\u7528\u6237: "},
         {".Public.Credential.", "\t\u516C\u5171\u8EAB\u4EFD\u8BC1\u660E: "},
         {".Private.Credentials.inaccessible.",
@@ -71,9 +71,9 @@ public class Resources_zh_CN extends java.util.ListResourceBundle {
         {".Private.Credential.", "\t\u4E13\u7528\u8EAB\u4EFD\u8BC1\u660E: "},
         {".Private.Credential.inaccessible.",
                 "\t\u65E0\u6CD5\u8BBF\u95EE\u4E13\u7528\u8EAB\u4EFD\u8BC1\u660E\n"},
-        {"Subject.is.read.only", "\u4E3B\u9898\u4E3A\u53EA\u8BFB"},
+        {"Subject.is.read.only", "\u4E3B\u4F53\u4E3A\u53EA\u8BFB"},
         {"attempting.to.add.an.object.which.is.not.an.instance.of.java.security.Principal.to.a.Subject.s.Principal.Set",
-                "\u6B63\u5728\u5C1D\u8BD5\u5C06\u4E00\u4E2A\u975E java.security.Principal \u5B9E\u4F8B\u7684\u5BF9\u8C61\u6DFB\u52A0\u5230\u4E3B\u9898\u7684\u4E3B\u7528\u6237\u96C6\u4E2D"},
+                "\u6B63\u5728\u5C1D\u8BD5\u5C06\u4E00\u4E2A\u975E java.security.Principal \u5B9E\u4F8B\u7684\u5BF9\u8C61\u6DFB\u52A0\u5230\u4E3B\u4F53\u7684\u4E3B\u7528\u6237\u96C6\u4E2D"},
         {"attempting.to.add.an.object.which.is.not.an.instance.of.class",
                 "\u6B63\u5728\u5C1D\u8BD5\u6DFB\u52A0\u4E00\u4E2A\u975E{0}\u5B9E\u4F8B\u7684\u5BF9\u8C61"},
 
@@ -84,11 +84,11 @@ public class Resources_zh_CN extends java.util.ListResourceBundle {
         {"Invalid.null.input.name", "\u65E0\u6548\u7A7A\u8F93\u5165: \u540D\u79F0"},
         {"No.LoginModules.configured.for.name",
          "\u6CA1\u6709\u4E3A{0}\u914D\u7F6E LoginModules"},
-        {"invalid.null.Subject.provided", "\u63D0\u4F9B\u4E86\u65E0\u6548\u7684\u7A7A\u4E3B\u9898"},
+        {"invalid.null.Subject.provided", "\u63D0\u4F9B\u4E86\u65E0\u6548\u7684\u7A7A\u4E3B\u4F53"},
         {"invalid.null.CallbackHandler.provided",
                 "\u63D0\u4F9B\u4E86\u65E0\u6548\u7684\u7A7A CallbackHandler"},
         {"null.subject.logout.called.before.login",
-                "\u7A7A\u4E3B\u9898 - \u5728\u767B\u5F55\u4E4B\u524D\u8C03\u7528\u4E86\u6CE8\u9500"},
+                "\u7A7A\u4E3B\u4F53 - \u5728\u767B\u5F55\u4E4B\u524D\u8C03\u7528\u4E86\u6CE8\u9500"},
         {"unable.to.instantiate.LoginModule.module.because.it.does.not.provide.a.no.argument.constructor",
                 "\u65E0\u6CD5\u5B9E\u4F8B\u5316 LoginModule, {0}, \u56E0\u4E3A\u5B83\u672A\u63D0\u4F9B\u4E00\u4E2A\u65E0\u53C2\u6570\u6784\u9020\u5668"},
         {"unable.to.instantiate.LoginModule",

src/share/classes/sun/security/x509/AlgorithmId.java

@@ -588,7 +588,7 @@ public class AlgorithmId implements Serializable, DerEncoder {
             }
 
             if (oidTable == null) {
-                oidTable = new HashMap<String,ObjectIdentifier>(1);
+                oidTable = Collections.<String,ObjectIdentifier>emptyMap();
             }
             initOidTable = true;
         }

src/share/classes/sun/security/x509/CRLDistributionPointsExtension.java

@@ -29,6 +29,7 @@ import java.io.IOException;
 import java.io.OutputStream;
 
 import java.util.*;
+import java.util.Collections;
 
 import sun.security.util.DerOutputStream;
 import sun.security.util.DerValue;
@@ -255,11 +256,12 @@ public class CRLDistributionPointsExtension extends Extension
      */
     public void delete(String name) throws IOException {
         if (name.equalsIgnoreCase(POINTS)) {
-            distributionPoints = new ArrayList<DistributionPoint>();
+            distributionPoints =
+                    Collections.<DistributionPoint>emptyList();
         } else {
             throw new IOException("Attribute name [" + name +
-                                "] not recognized by " +
-                                "CertAttrSet:" + extensionName + ".");
+                                  "] not recognized by " +
+                                  "CertAttrSet:" + extensionName + '.');
         }
         encodeThis();
     }

src/share/classes/sun/security/x509/CRLNumberExtension.java

@@ -157,11 +157,10 @@ implements CertAttrSet<String> {
      */
     public BigInteger get(String name) throws IOException {
         if (name.equalsIgnoreCase(NUMBER)) {
-            if (crlNumber == null) return null;
-            else return crlNumber;
+            return crlNumber;
         } else {
-          throw new IOException("Attribute name not recognized by"
-                                + " CertAttrSet:" + extensionName + ".");
+            throw new IOException("Attribute name not recognized by" +
+                                  " CertAttrSet:" + extensionName + '.');
         }
     }
 

src/share/classes/sun/security/x509/DNSName.java

@@ -232,15 +232,15 @@ public class DNSName implements GeneralNameInterface {
      * @throws UnsupportedOperationException if not supported for this name type
      */
     public int subtreeDepth() throws UnsupportedOperationException {
-        String subtree=name;
-        int i=1;
+        // subtree depth is always at least 1
+        int sum = 1;
 
-        /* count dots */
-        for (; subtree.lastIndexOf('.') >= 0; i++) {
-            subtree=subtree.substring(0,subtree.lastIndexOf('.'));
+        // count dots
+        for (int i = name.indexOf('.'); i >= 0; i = name.indexOf('.', i + 1)) {
+            ++sum;
         }
 
-        return i;
+        return sum;
     }
 
 }

src/share/classes/sun/security/x509/EDIPartyName.java

@@ -197,7 +197,7 @@ public class EDIPartyName implements GeneralNameInterface {
      */
     public int hashCode() {
         if (myhash == -1) {
-            myhash = 37 + party.hashCode();
+            myhash = 37 + (party == null ? 1 : party.hashCode());
             if (assigner != null) {
                 myhash = 37 * myhash + assigner.hashCode();
             }

src/share/classes/sun/security/x509/GeneralSubtrees.java

@@ -191,7 +191,7 @@ public class GeneralSubtrees implements Cloneable {
         // the list: if any subsequent entry matches or widens entry n,
         // remove entry n. If any subsequent entries narrow entry n, remove
         // the subsequent entries.
-        for (int i = 0; i < size(); i++) {
+        for (int i = 0; i < (size() - 1); i++) {
             GeneralNameInterface current = getGeneralNameInterface(i);
             boolean remove1 = false;
 

src/share/classes/sun/security/x509/IPAddressName.java

@@ -197,8 +197,10 @@ public class IPAddressName implements GeneralNameInterface {
 
             // append a mask corresponding to the num of prefix bits specified
             int prefixLen = Integer.parseInt(name.substring(slashNdx+1));
-            if (prefixLen > 128)
-                throw new IOException("IPv6Address prefix is longer than 128");
+            if (prefixLen < 0 || prefixLen > 128) {
+                throw new IOException("IPv6Address prefix length (" +
+                        prefixLen + ") in out of valid range [0,128]");
+            }
 
             // create new bit array initialized to zeros
             BitArray bitArray = new BitArray(MASKSIZE * 8);
@@ -317,7 +319,8 @@ public class IPAddressName implements GeneralNameInterface {
         if (!(obj instanceof IPAddressName))
             return false;
 
-        byte[] other = ((IPAddressName)obj).getBytes();
+        IPAddressName otherName = (IPAddressName)obj;
+        byte[] other = otherName.address;
 
         if (other.length != address.length)
             return false;
@@ -326,12 +329,10 @@ public class IPAddressName implements GeneralNameInterface {
             // Two subnet addresses
             // Mask each and compare masked values
             int maskLen = address.length/2;
-            byte[] maskedThis = new byte[maskLen];
-            byte[] maskedOther = new byte[maskLen];
             for (int i=0; i < maskLen; i++) {
-                maskedThis[i] = (byte)(address[i] & address[i+maskLen]);
-                maskedOther[i] = (byte)(other[i] & other[i+maskLen]);
-                if (maskedThis[i] != maskedOther[i]) {
+                byte maskedThis = (byte)(address[i] & address[i+maskLen]);
+                byte maskedOther = (byte)(other[i] & other[i+maskLen]);
+                if (maskedThis != maskedOther) {
                     return false;
                 }
             }
@@ -400,7 +401,8 @@ public class IPAddressName implements GeneralNameInterface {
         else if (((IPAddressName)inputName).equals(this))
             constraintType = NAME_MATCH;
         else {
-            byte[] otherAddress = ((IPAddressName)inputName).getBytes();
+            IPAddressName otherName = (IPAddressName)inputName;
+            byte[] otherAddress = otherName.address;
             if (otherAddress.length == 4 && address.length == 4)
                 // Two host addresses
                 constraintType = NAME_SAME_TYPE;

src/share/classes/sun/security/x509/IssuingDistributionPointExtension.java

@@ -261,6 +261,7 @@ public class IssuingDistributionPointExtension extends Extension
                 throw new IOException(
                     "Attribute value should be of type ReasonFlags.");
             }
+            revocationReasons = (ReasonFlags)obj;
 
         } else if (name.equalsIgnoreCase(INDIRECT_CRL)) {
             if (!(obj instanceof Boolean)) {
@@ -290,7 +291,6 @@ public class IssuingDistributionPointExtension extends Extension
             }
             hasOnlyAttributeCerts = ((Boolean)obj).booleanValue();
 
-
         } else {
             throw new IOException("Attribute name [" + name +
                 "] not recognized by " +

src/share/classes/sun/security/x509/KeyIdentifier.java

@@ -148,7 +148,7 @@ public class KeyIdentifier {
             return true;
         if (!(other instanceof KeyIdentifier))
             return false;
-        return java.util.Arrays.equals(octetString,
-                                       ((KeyIdentifier)other).getIdentifier());
+        byte[] otherString = ((KeyIdentifier)other).octetString;
+        return java.util.Arrays.equals(octetString, otherString);
     }
 }

src/share/classes/sun/security/x509/PolicyMappingsExtension.java

@@ -102,7 +102,7 @@ implements CertAttrSet<String> {
     public PolicyMappingsExtension() {
         extensionId = PKIXExtensions.KeyUsage_Id;
         critical = false;
-        maps = new ArrayList<CertificatePolicyMap>();
+        maps = Collections.<CertificatePolicyMap>emptyList();
     }
 
     /**

src/share/classes/sun/security/x509/PrivateKeyUsageExtension.java

@@ -33,6 +33,7 @@ import java.security.cert.CertificateExpiredException;
 import java.security.cert.CertificateNotYetValidException;
 import java.util.Date;
 import java.util.Enumeration;
+import java.util.Objects;
 
 import sun.security.util.*;
 
@@ -206,16 +207,17 @@ implements CertAttrSet<String> {
      */
     public void valid(Date now)
     throws CertificateNotYetValidException, CertificateExpiredException {
+        Objects.requireNonNull(now);
         /*
          * we use the internal Dates rather than the passed in Date
          * because someone could override the Date methods after()
          * and before() to do something entirely different.
          */
-        if (notBefore.after(now)) {
+        if (notBefore != null && notBefore.after(now)) {
             throw new CertificateNotYetValidException("NotBefore: " +
                                                       notBefore.toString());
         }
-        if (notAfter.before(now)) {
+        if (notAfter != null && notAfter.before(now)) {
             throw new CertificateExpiredException("NotAfter: " +
                                                   notAfter.toString());
         }

src/share/classes/sun/security/x509/RDN.java

@@ -27,6 +27,8 @@ package sun.security.x509;
 
 import java.io.IOException;
 import java.io.StringReader;
+import java.util.Arrays;
+import java.util.StringJoiner;
 import java.util.*;
 
 import sun.security.util.*;
@@ -442,31 +444,19 @@ public class RDN {
                                assertion[0].toRFC2253String(oidMap);
         }
 
-        StringBuilder relname = new StringBuilder();
-        if (!canonical) {
-            for (int i = 0; i < assertion.length; i++) {
-                if (i > 0) {
-                    relname.append('+');
-                }
-                relname.append(assertion[i].toRFC2253String(oidMap));
-            }
-        } else {
+        AVA[] toOutput = assertion;
+        if (canonical) {
             // order the string type AVA's alphabetically,
             // followed by the oid type AVA's numerically
-            List<AVA> avaList = new ArrayList<AVA>(assertion.length);
-            for (int i = 0; i < assertion.length; i++) {
-                avaList.add(assertion[i]);
-            }
-            java.util.Collections.sort(avaList, AVAComparator.getInstance());
-
-            for (int i = 0; i < avaList.size(); i++) {
-                if (i > 0) {
-                    relname.append('+');
-                }
-                relname.append(avaList.get(i).toRFC2253CanonicalString());
-            }
+            toOutput = assertion.clone();
+            Arrays.sort(toOutput, AVAComparator.getInstance());
+        }
+        StringJoiner sj = new StringJoiner("+");
+        for (AVA ava : toOutput) {
+            sj.add(canonical ? ava.toRFC2253CanonicalString()
+                             : ava.toRFC2253String(oidMap));
         }
-        return relname.toString();
+        return sj.toString();
     }
 
 }

src/share/classes/sun/security/x509/SubjectInfoAccessExtension.java

@@ -28,6 +28,7 @@ package sun.security.x509;
 import java.io.IOException;
 import java.io.OutputStream;
 
+import java.util.Collections;
 import java.util.*;
 
 import sun.security.util.DerOutputStream;
@@ -200,7 +201,8 @@ public class SubjectInfoAccessExtension extends Extension
      */
     public void delete(String name) throws IOException {
         if (name.equalsIgnoreCase(DESCRIPTIONS)) {
-            accessDescriptions = new ArrayList<AccessDescription>();
+            accessDescriptions =
+                Collections.<AccessDescription>emptyList();
         } else {
             throw new IOException("Attribute name [" + name +
                                 "] not recognized by " +

src/share/classes/sun/security/x509/URIName.java

@@ -165,7 +165,7 @@ public class URIName implements GeneralNameInterface {
             String host = uri.getSchemeSpecificPart();
             try {
                 DNSName hostDNS;
-                if (host.charAt(0) == '.') {
+                if (host.startsWith(".")) {
                     hostDNS = new DNSName(host.substring(1));
                 } else {
                     hostDNS = new DNSName(host);

src/share/classes/sun/security/x509/X500Name.java

@@ -346,6 +346,8 @@ public class X500Name implements GeneralNameInterface, Principal {
             for (int i = 0; i < names.length; i++) {
                 list.addAll(names[i].avas());
             }
+            list = Collections.unmodifiableList(list);
+            allAvaList = list;
         }
         return list;
     }
@@ -364,9 +366,6 @@ public class X500Name implements GeneralNameInterface, Principal {
      */
     public boolean isEmpty() {
         int n = names.length;
-        if (n == 0) {
-            return true;
-        }
         for (int i = 0; i < n; i++) {
             if (names[i].assertion.length != 0) {
                 return false;
@@ -1109,12 +1108,8 @@ public class X500Name implements GeneralNameInterface, Principal {
      * and speed recognition of common X.500 attributes.
      */
     static ObjectIdentifier intern(ObjectIdentifier oid) {
-        ObjectIdentifier interned = internedOIDs.get(oid);
-        if (interned != null) {
-            return interned;
-        }
-        internedOIDs.put(oid, oid);
-        return oid;
+        ObjectIdentifier interned = internedOIDs.putIfAbsent(oid, oid);
+        return (interned == null) ? oid : interned;
     }
 
     private static final Map<ObjectIdentifier,ObjectIdentifier> internedOIDs

src/share/classes/sun/security/x509/X509AttributeName.java

@@ -47,7 +47,7 @@ public class X509AttributeName {
      */
     public X509AttributeName(String name) {
         int i = name.indexOf(SEPARATOR);
-        if (i == (-1)) {
+        if (i < 0) {
             prefix = name;
         } else {
             prefix = name.substring(0, i);

src/share/classes/sun/security/x509/X509CRLImpl.java

@@ -742,9 +742,7 @@ public class X509CRLImpl extends X509CRL implements DerEncoder {
     public byte[] getTBSCertList() throws CRLException {
         if (tbsCertList == null)
             throw new CRLException("Uninitialized CRL");
-        byte[] dup = new byte[tbsCertList.length];
-        System.arraycopy(tbsCertList, 0, dup, 0, dup.length);
-        return dup;
+        return tbsCertList.clone();
     }
 
     /**
@@ -755,9 +753,7 @@ public class X509CRLImpl extends X509CRL implements DerEncoder {
     public byte[] getSignature() {
         if (signature == null)
             return null;
-        byte[] dup = new byte[signature.length];
-        System.arraycopy(signature, 0, dup, 0, dup.length);
-        return dup;
+        return signature.clone();
     }
 
     /**

src/share/classes/sun/security/x509/X509CertImpl.java

@@ -1008,9 +1008,7 @@ public class X509CertImpl extends X509Certificate implements DerEncoder {
     public byte[] getSignature() {
         if (signature == null)
             return null;
-        byte[] dup = new byte[signature.length];
-        System.arraycopy(signature, 0, dup, 0, dup.length);
-        return dup;
+        return signature.clone();
     }
 
     /**

src/share/classes/sun/tools/jar/resources/jar_ja.properties

@@ -45,4 +45,4 @@ out.extracted={0}\u304C\u62BD\u51FA\u3055\u308C\u307E\u3057\u305F
 out.inflated=\ {0}\u304C\u5C55\u958B\u3055\u308C\u307E\u3057\u305F
 out.size=(\u5165={0})(\u51FA={1})
 
-usage=\u4F7F\u7528\u65B9\u6CD5: jar {ctxui}[vfmn0PMe] [jar-file] [manifest-file] [entry-point] [-C dir] files ...\n\u30AA\u30D7\u30B7\u30E7\u30F3:\n    -c  \u30A2\u30FC\u30AB\u30A4\u30D6\u3092\u65B0\u898F\u4F5C\u6210\u3059\u308B\n    -t  \u30A2\u30FC\u30AB\u30A4\u30D6\u306E\u5185\u5BB9\u3092\u4E00\u89A7\u8868\u793A\u3059\u308B\n    -x  \u6307\u5B9A\u306E(\u307E\u305F\u306F\u3059\u3079\u3066\u306E)\u30D5\u30A1\u30A4\u30EB\u3092\u30A2\u30FC\u30AB\u30A4\u30D6\u304B\u3089\u62BD\u51FA\u3059\u308B\n    -u  \u65E2\u5B58\u30A2\u30FC\u30AB\u30A4\u30D6\u3092\u66F4\u65B0\u3059\u308B\n    -v  \u6A19\u6E96\u51FA\u529B\u306B\u8A73\u7D30\u306A\u51FA\u529B\u3092\u751F\u6210\u3059\u308B\n    -f  \u30A2\u30FC\u30AB\u30A4\u30D6\u30FB\u30D5\u30A1\u30A4\u30EB\u540D\u3092\u6307\u5B9A\u3059\u308B\n    -m  \u6307\u5B9A\u306E\u30DE\u30CB\u30D5\u30A7\u30B9\u30C8\u30FB\u30D5\u30A1\u30A4\u30EB\u304B\u3089\u30DE\u30CB\u30D5\u30A7\u30B9\u30C8\u60C5\u5831\u3092\u53D6\u308A\u8FBC\u3080\n    -n  \u65B0\u898F\u30A2\u30FC\u30AB\u30A4\u30D6\u306E\u4F5C\u6210\u5F8C\u306BPack200\u6B63\u898F\u5316\u3092\u5B9F\u884C\u3059\u308B\n    -e  \u5B9F\u884C\u53EF\u80FDjar\u30D5\u30A1\u30A4\u30EB\u306B\u30D0\u30F3\u30C9\u30EB\u3055\u308C\u305F\u30B9\u30BF\u30F3\u30C9\u30A2\u30ED\u30F3\u30FB\n        \u30A2\u30D7\u30EA\u30B1\u30FC\u30B7\u30E7\u30F3\u306E\u30A8\u30F3\u30C8\u30EA\u30FB\u30DD\u30A4\u30F3\u30C8\u3092\u6307\u5B9A\u3059\u308B\n    -0  \u683C\u7D0D\u306E\u307F\u3002ZIP\u5727\u7E2E\u3092\u4F7F\u7528\u3057\u306A\u3044\n    -P  \u30D5\u30A1\u30A4\u30EB\u540D\u306E\u5148\u982D\u306E'/' (\u7D76\u5BFE\u30D1\u30B9)\u304A\u3088\u3073\\"..\\" (\u89AA\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA)\u30B3\u30F3\u30DD\u30FC\u30CD\u30F3\u30C8\u3092\u4FDD\u6301\u3059\u308B\n    -M  \u30A8\u30F3\u30C8\u30EA\u306E\u30DE\u30CB\u30D5\u30A7\u30B9\u30C8\u30FB\u30D5\u30A1\u30A4\u30EB\u3092\u4F5C\u6210\u3057\u306A\u3044\n    -i  \u6307\u5B9A\u306Ejar\u30D5\u30A1\u30A4\u30EB\u306E\u7D22\u5F15\u60C5\u5831\u3092\u751F\u6210\u3059\u308B\n    -C  \u6307\u5B9A\u306E\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\u306B\u5909\u66F4\u3057\u3001\u6B21\u306E\u30D5\u30A1\u30A4\u30EB\u3092\u53D6\u308A\u8FBC\u3080\n\u30D5\u30A1\u30A4\u30EB\u304C\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\u306E\u5834\u5408\u306F\u518D\u5E30\u7684\u306B\u51E6\u7406\u3055\u308C\u307E\u3059\u3002\n\u30DE\u30CB\u30D5\u30A7\u30B9\u30C8\u30FB\u30D5\u30A1\u30A4\u30EB\u540D\u3001\u30A2\u30FC\u30AB\u30A4\u30D6\u30FB\u30D5\u30A1\u30A4\u30EB\u540D\u304A\u3088\u3073\u30A8\u30F3\u30C8\u30EA\u30FB\u30DD\u30A4\u30F3\u30C8\u540D\u306F\u3001\n\u30D5\u30E9\u30B0'm'\u3001'f'\u3001'e'\u306E\u6307\u5B9A\u3068\u540C\u3058\u9806\u756A\u3067\u6307\u5B9A\u3059\u308B\u5FC5\u8981\u304C\u3042\u308A\u307E\u3059\u3002\n\n\u4F8B1: 2\u3064\u306E\u30AF\u30E9\u30B9\u30FB\u30D5\u30A1\u30A4\u30EB\u3092\u30A2\u30FC\u30AB\u30A4\u30D6classes.jar\u306B\u4FDD\u5B58\u3059\u308B: \n       jar cvf classes.jar Foo.class Bar.class \n\u4F8B2: \u65E2\u5B58\u306E\u30DE\u30CB\u30D5\u30A7\u30B9\u30C8\u30FB\u30D5\u30A1\u30A4\u30EB'mymanifest'\u3092\u4F7F\u7528\u3057\u3001foo/\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\u306E\n           \u5168\u30D5\u30A1\u30A4\u30EB\u3092'classes.jar'\u306B\u30A2\u30FC\u30AB\u30A4\u30D6\u3059\u308B: \n       jar cvfm classes.jar mymanifest -C foo/ \n
+usage=\u4F7F\u7528\u65B9\u6CD5: jar {ctxui}[vfmn0PMe] [jar-file] [manifest-file] [entry-point] [-C dir] files ...\n\u30AA\u30D7\u30B7\u30E7\u30F3:\n    -c  \u30A2\u30FC\u30AB\u30A4\u30D6\u3092\u65B0\u898F\u4F5C\u6210\u3059\u308B\n    -t  \u30A2\u30FC\u30AB\u30A4\u30D6\u306E\u5185\u5BB9\u3092\u4E00\u89A7\u8868\u793A\u3059\u308B\n    -x  \u6307\u5B9A\u306E(\u307E\u305F\u306F\u3059\u3079\u3066\u306E)\u30D5\u30A1\u30A4\u30EB\u3092\u30A2\u30FC\u30AB\u30A4\u30D6\u304B\u3089\u62BD\u51FA\u3059\u308B\n    -u  \u65E2\u5B58\u30A2\u30FC\u30AB\u30A4\u30D6\u3092\u66F4\u65B0\u3059\u308B\n    -v  \u6A19\u6E96\u51FA\u529B\u306B\u8A73\u7D30\u306A\u51FA\u529B\u3092\u751F\u6210\u3059\u308B\n    -f  \u30A2\u30FC\u30AB\u30A4\u30D6\u30FB\u30D5\u30A1\u30A4\u30EB\u540D\u3092\u6307\u5B9A\u3059\u308B\n    -m  \u6307\u5B9A\u306E\u30DE\u30CB\u30D5\u30A7\u30B9\u30C8\u30FB\u30D5\u30A1\u30A4\u30EB\u304B\u3089\u30DE\u30CB\u30D5\u30A7\u30B9\u30C8\u60C5\u5831\u3092\u53D6\u308A\u8FBC\u3080\n    -n  \u65B0\u898F\u30A2\u30FC\u30AB\u30A4\u30D6\u306E\u4F5C\u6210\u5F8C\u306BPack200\u6B63\u898F\u5316\u3092\u5B9F\u884C\u3059\u308B\n    -e  \u5B9F\u884C\u53EF\u80FDjar\u30D5\u30A1\u30A4\u30EB\u306B\u30D0\u30F3\u30C9\u30EB\u3055\u308C\u305F\u30B9\u30BF\u30F3\u30C9\u30A2\u30ED\u30F3\u30FB\n        \u30A2\u30D7\u30EA\u30B1\u30FC\u30B7\u30E7\u30F3\u306E\u30A8\u30F3\u30C8\u30EA\u30FB\u30DD\u30A4\u30F3\u30C8\u3092\u6307\u5B9A\u3059\u308B\n    -0  \u683C\u7D0D\u306E\u307F\u3002ZIP\u5727\u7E2E\u3092\u4F7F\u7528\u3057\u306A\u3044\n    -P  \u30D5\u30A1\u30A4\u30EB\u540D\u306E\u5148\u982D\u306E'/' (\u7D76\u5BFE\u30D1\u30B9)\u304A\u3088\u3073\\"..\\" (\u89AA\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA)\u30B3\u30F3\u30DD\u30FC\u30CD\u30F3\u30C8\u3092\u4FDD\u6301\u3059\u308B\n    -M  \u30A8\u30F3\u30C8\u30EA\u306E\u30DE\u30CB\u30D5\u30A7\u30B9\u30C8\u30FB\u30D5\u30A1\u30A4\u30EB\u3092\u4F5C\u6210\u3057\u306A\u3044\n    -i  \u6307\u5B9A\u306Ejar\u30D5\u30A1\u30A4\u30EB\u306E\u7D22\u5F15\u60C5\u5831\u3092\u751F\u6210\u3059\u308B\n    -C  \u6307\u5B9A\u306E\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\u306B\u5909\u66F4\u3057\u3001\u6B21\u306E\u30D5\u30A1\u30A4\u30EB\u3092\u53D6\u308A\u8FBC\u3080\n\u30D5\u30A1\u30A4\u30EB\u304C\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\u306E\u5834\u5408\u306F\u518D\u5E30\u7684\u306B\u51E6\u7406\u3055\u308C\u307E\u3059\u3002\n\u30DE\u30CB\u30D5\u30A7\u30B9\u30C8\u30FB\u30D5\u30A1\u30A4\u30EB\u540D\u3001\u30A2\u30FC\u30AB\u30A4\u30D6\u30FB\u30D5\u30A1\u30A4\u30EB\u540D\u304A\u3088\u3073\u30A8\u30F3\u30C8\u30EA\u30FB\u30DD\u30A4\u30F3\u30C8\u540D\u306F\u3001\n\u30D5\u30E9\u30B0'm'\u3001'f'\u3001'e'\u306E\u6307\u5B9A\u3068\u540C\u3058\u9806\u756A\u3067\u6307\u5B9A\u3059\u308B\u5FC5\u8981\u304C\u3042\u308A\u307E\u3059\u3002\n\n\u4F8B1: 2\u3064\u306E\u30AF\u30E9\u30B9\u30FB\u30D5\u30A1\u30A4\u30EB\u3092\u30A2\u30FC\u30AB\u30A4\u30D6classes.jar\u306B\u4FDD\u5B58\u3059\u308B: \n       jar cvf classes.jar Foo.class Bar.class \n\u4F8B2: \u65E2\u5B58\u306E\u30DE\u30CB\u30D5\u30A7\u30B9\u30C8\u30FB\u30D5\u30A1\u30A4\u30EB'mymanifest'\u3092\u4F7F\u7528\u3057\u3001foo/\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\u306E\n           \u5168\u30D5\u30A1\u30A4\u30EB\u3092'classes.jar'\u306B\u30A2\u30FC\u30AB\u30A4\u30D6\u3059\u308B: \n       jar cvfm classes.jar mymanifest -C foo/ .\n

src/share/lib/security/blacklisted.certs

-Algorithm=SHA-256
-76A45A496031E4DD2D7ED23E8F6FF97DBDEA980BAAC8B0BA94D7EDB551348645
-4CBBF8256BC9888A8007B2F386940A2E394378B0D903CBB3863C5A6394B889CE
-D24566BF315F4E597D6E381C87119FB4198F5E9E2607F5F4AB362EF7E2E7672F
-14E6D2764A4B06701C6CBC376A253775F79C782FBCB6C0EE6F99DE4BA1024ADD
-D3A936E1A7775A45217C8296A1F22AC5631DCDEC45594099E78EEEBBEDCBA967
-5E83124D68D24E8E177E306DF643D5EA99C5A94D6FC34B072F7544A1CABB7C7B
-9ED8F9B0E8E42A1656B8E1DD18F42BA42DC06FE52686173BA2FC70E756F207DC
-FDEDB5BDFCB67411513A61AEE5CB5B5D7C52AF06028EFC996CC1B05B1D6CEA2B
-A686FEE577C88AB664D0787ECDFFF035F4806F3DE418DC9E4D516324FFF02083
-4FEE0163686ECBD65DB968E7494F55D84B25486D438E9DE558D629D28CD4D176
-8A1BD21661C60015065212CC98B1ABB50DFD14C872A208E66BAE890F25C448AF
-B8686723E415534BC0DBD16326F9486F85B0B0799BF6639334E61DAAE67F36CD
-3946901F46B0071E90D78279E82FABABCA177231A704BE72C5B0E8918566EA66
-31C8FD37DB9B56E708B03D1F01848B068C6DA66F36FB5D82C008C6040FA3E133
-450F1B421BB05C8609854884559C323319619E8B06B001EA2DCBB74A23AA3BE2
-FC02FD48DB92D4DCE6F11679D38354CF750CFC7F584A520EB90BDE80E241F2BD
-DF21016B00FC54F9FE3BC8B039911BB216E9162FAD2FD14D990AB96E951B49BE
-F5B6F88F75D391A4B1EB336F9E201239FB6B1377DB8CFA7B84736216E5AFFFD7
+Algorithm=SHA-256
+76A45A496031E4DD2D7ED23E8F6FF97DBDEA980BAAC8B0BA94D7EDB551348645
+4CBBF8256BC9888A8007B2F386940A2E394378B0D903CBB3863C5A6394B889CE
+D24566BF315F4E597D6E381C87119FB4198F5E9E2607F5F4AB362EF7E2E7672F
+14E6D2764A4B06701C6CBC376A253775F79C782FBCB6C0EE6F99DE4BA1024ADD
+D3A936E1A7775A45217C8296A1F22AC5631DCDEC45594099E78EEEBBEDCBA967
+5E83124D68D24E8E177E306DF643D5EA99C5A94D6FC34B072F7544A1CABB7C7B
+9ED8F9B0E8E42A1656B8E1DD18F42BA42DC06FE52686173BA2FC70E756F207DC
+FDEDB5BDFCB67411513A61AEE5CB5B5D7C52AF06028EFC996CC1B05B1D6CEA2B
+A686FEE577C88AB664D0787ECDFFF035F4806F3DE418DC9E4D516324FFF02083
+4FEE0163686ECBD65DB968E7494F55D84B25486D438E9DE558D629D28CD4D176
+8A1BD21661C60015065212CC98B1ABB50DFD14C872A208E66BAE890F25C448AF
+B8686723E415534BC0DBD16326F9486F85B0B0799BF6639334E61DAAE67F36CD
+3946901F46B0071E90D78279E82FABABCA177231A704BE72C5B0E8918566EA66
+31C8FD37DB9B56E708B03D1F01848B068C6DA66F36FB5D82C008C6040FA3E133
+450F1B421BB05C8609854884559C323319619E8B06B001EA2DCBB74A23AA3BE2
+FC02FD48DB92D4DCE6F11679D38354CF750CFC7F584A520EB90BDE80E241F2BD
+DF21016B00FC54F9FE3BC8B039911BB216E9162FAD2FD14D990AB96E951B49BE
+F5B6F88F75D391A4B1EB336F9E201239FB6B1377DB8CFA7B84736216E5AFFFD7
+EC30C9C3065A06BB07DC5B1C6B497F370C1CA65C0F30C08E042BA6BCECC78F2C

src/share/lib/security/blacklisted.certs.pem

@@ -719,3 +719,26 @@ v9qpeC45ZA/jelxV11HKbQnVF194gDb7D2H9OsAsRUy8HVKbXEcc/8dKvwOqb+BC
 DBabJH1vJ9Gd+KwxMCmBZ6pQPl28JDimhJhI2LNqU349uADQVV0HJosddN/ARyyI
 LSIQO7BnNVKVG9Iujf33bvPNeg0qNz5qw+rKKq97Pqeum+L5oKU=
 -----END CERTIFICATE-----
+
+// Subject: CN=eDellRoot
+// Issuer: CN=eDellRoot
+// Serial Number:
+//     6b:c5:7b:95:18:93:aa:97:4b:62:4a:c0:88:fc:3b:b6
+-----BEGIN CERTIFICATE-----
+MIIC8zCCAd+gAwIBAgIQa8V7lRiTqpdLYkrAiPw7tjAJBgUrDgMCHQUAMBQxEjAQ
+BgNVBAMTCWVEZWxsUm9vdDAeFw0xNTA0MDcxMDIzMjdaFw0zOTEyMzEyMzU5NTla
+MBQxEjAQBgNVBAMTCWVEZWxsUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAL3RJg1uzVuEX0Hw4XWGzs6oI9W+o7HZdVdBMMVb4Gzb4uZjCTNjbPx4
+b8LNFL1uArUt+5VVMQDsOTY3Lg/Xe/UNukY2b+0llUOzzBYYpbsFcco4n6SsTvDh
+Ni5t+kPo7c23ZrYBPmOu82eEJ6cavs/t39u+wFOkXXwvRCiHA/lWyNWNEPh17+bC
+EP3q5N+JrV+6Ho3zQPEv5QUJYdmXsMmD2CMQojeQUj68J91P5w5BKjurG0xjivzh
+Soie9ym7VRwLFjWScRuw/9XV6CLqTyL5xrqiiDp1uTOuqNj3uxyts9ocbsoJXuxj
+5iEYkSM1nvLupEv+lgy9WqzIEFMm1l8CAwEAAaNJMEcwRQYDVR0BBD4wPIAQYA/f
+EzPwmaRcZuSaa/VZ1KEWMBQxEjAQBgNVBAMTCWVEZWxsUm9vdIIQa8V7lRiTqpdL
+YkrAiPw7tjAJBgUrDgMCHQUAA4IBAQArfdcScsezj8ooJ92UwwnPgg36noOgiUs5
+XzPLP4h0JpUYQVKB9hY1WTDwRUfTKGh7oNOowd027a/rVSb/TNeoiJIvMKn4gbvV
+CWAiHhO8u2u0RkHCDVsa7e0i4ncpueWsihjn6jBrY8T+7eDYwiFT/F03A8NJ7mK5
+lZA8SFd5CTDy3EBUU5UwzXUc5HoIRUxXSPycu3aIBWawg3sCdKiAoikScPAWj0bM
+0vmsP/8QSlTOBqO+QFQ6R82BtTvBNU3qbVICV4QObsxib++FAFL56NApPqskg7Vz
+LfNIAjKabHUcjbuZkmg6jr4BfYW7+oQDHCsYgADjjKGdKz/8U/fP
+-----END CERTIFICATE-----

src/share/lib/security/java.security-aix

@@ -481,7 +481,7 @@ krb5.kdc.bad.policy = tryLast
 #   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
 #
 #
-jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
+jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
 
 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
 # (SSL/TLS) processing
@@ -509,7 +509,7 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
 #
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
+jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
 
 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
 # processing in JSSE implementation.

src/share/lib/security/java.security-linux

@@ -481,7 +481,7 @@ krb5.kdc.bad.policy = tryLast
 #   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
 #
 #
-jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
+jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
 
 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
 # (SSL/TLS) processing
@@ -509,7 +509,7 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
 #
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
+jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
 
 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
 # processing in JSSE implementation.

src/share/lib/security/java.security-macosx

@@ -484,7 +484,7 @@ krb5.kdc.bad.policy = tryLast
 #   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
 #
 #
-jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
+jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
 
 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
 # (SSL/TLS) processing
@@ -512,7 +512,7 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
 #
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
+jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
 
 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
 # processing in JSSE implementation.

src/share/lib/security/java.security-solaris

@@ -483,7 +483,7 @@ krb5.kdc.bad.policy = tryLast
 #   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
 #
 #
-jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
+jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
 
 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
 # (SSL/TLS) processing
@@ -511,7 +511,7 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
 #
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
+jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
 
 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
 # processing in JSSE implementation.

src/share/lib/security/java.security-windows

@@ -484,7 +484,7 @@ krb5.kdc.bad.policy = tryLast
 #   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
 #
 #
-jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
+jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
 
 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
 # (SSL/TLS) processing
@@ -512,7 +512,7 @@ jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
 #
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
+jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
 
 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
 # processing in JSSE implementation.

src/share/native/sun/awt/image/jpeg/jpegdecoder.c

@@ -180,6 +180,7 @@ struct sun_jpeg_source_mgr {
       int               *ip;
       unsigned char     *bp;
   } outbuf;
+  size_t outbufSize;
   jobject hOutputBuffer;
 };
 
@@ -233,6 +234,7 @@ static int GET_ARRAYS(JNIEnv *env, sun_jpeg_source_ptr src)
     }
     if (src->hOutputBuffer) {
         assert(src->outbuf.ip == 0);
+        src->outbufSize = (*env)->GetArrayLength(env, src->hOutputBuffer);
         src->outbuf.ip = (int *)(*env)->GetPrimitiveArrayCritical
             (env, src->hOutputBuffer, 0);
         if (src->outbuf.ip == 0) {
@@ -677,8 +679,8 @@ Java_sun_awt_image_JPEGImageDecoder_readImage(JNIEnv *env,
                                               cinfo.output_scanline - 1);
           } else {
               if (hasalpha) {
-                  ip = jsrc.outbuf.ip + cinfo.image_width;
-                  bp = jsrc.outbuf.bp + cinfo.image_width * 4;
+                  ip = jsrc.outbuf.ip + jsrc.outbufSize;
+                  bp = jsrc.outbuf.bp + jsrc.outbufSize * 4;
                   while (ip > jsrc.outbuf.ip) {
                       pixel = (*--bp) << 24;
                       pixel |= (*--bp);
@@ -687,8 +689,8 @@ Java_sun_awt_image_JPEGImageDecoder_readImage(JNIEnv *env,
                       *--ip = pixel;
                   }
               } else {
-                  ip = jsrc.outbuf.ip + cinfo.image_width;
-                  bp = jsrc.outbuf.bp + cinfo.image_width * 3;
+                  ip = jsrc.outbuf.ip + jsrc.outbufSize;
+                  bp = jsrc.outbuf.bp + jsrc.outbufSize * 3;
                   while (ip > jsrc.outbuf.ip) {
                       pixel = (*--bp);
                       pixel |= (*--bp) << 8;

src/share/native/sun/awt/libpng/LICENSE

@@ -10,21 +10,18 @@ this sentence.
 
 This code is released under the libpng license.
 
-libpng versions 1.2.6, August 15, 2004, through 1.6.16, December 22, 2014, are
-Copyright (c) 2004, 2006-2014 Glenn Randers-Pehrson, and are
-distributed according to the same disclaimer and license as libpng-1.2.5
-with the following individual added to the list of Contributing Authors
-
-   Cosmin Truta
-
-libpng versions 1.0.7, July 1, 2000, through 1.2.5 - October 3, 2002, are
-Copyright (c) 2000-2002 Glenn Randers-Pehrson, and are
-distributed according to the same disclaimer and license as libpng-1.0.6
-with the following individuals added to the list of Contributing Authors
+libpng versions 1.0.7, July 1, 2000, through 1.6.20, December 3, 2015, are
+Copyright (c) 2000-2002, 2004, 2006-2015 Glenn Randers-Pehrson, are
+derived from libpng-1.0.6, and are distributed according to the same
+disclaimer and license as libpng-1.0.6 with the following individuals
+added to the list of Contributing Authors:
 
    Simon-Pierre Cadieux
    Eric S. Raymond
+   Mans Rullgard
+   Cosmin Truta
    Gilles Vollant
+   James Yu
 
 and with the following additions to the disclaimer:
 
@@ -36,18 +33,20 @@ and with the following additions to the disclaimer:
    the user.
 
 libpng versions 0.97, January 1998, through 1.0.6, March 20, 2000, are
-Copyright (c) 1998, 1999 Glenn Randers-Pehrson, and are
-distributed according to the same disclaimer and license as libpng-0.96,
-with the following individuals added to the list of Contributing Authors:
+Copyright (c) 1998-2000 Glenn Randers-Pehrson, are derived from
+libpng-0.96, and are distributed according to the same disclaimer and
+license as libpng-0.96, with the following individuals added to the list
+of Contributing Authors:
 
    Tom Lane
    Glenn Randers-Pehrson
    Willem van Schaik
 
 libpng versions 0.89, June 1996, through 0.96, May 1997, are
-Copyright (c) 1996, 1997 Andreas Dilger
-Distributed according to the same disclaimer and license as libpng-0.88,
-with the following individuals added to the list of Contributing Authors:
+Copyright (c) 1996-1997 Andreas Dilger, are derived from libpng-0.88,
+and are distributed according to the same disclaimer and license as
+libpng-0.88, with the following individuals added to the list of
+Contributing Authors:
 
    John Bowler
    Kevin Bracey
@@ -57,7 +56,7 @@ with the following individuals added to the list of Contributing Authors:
    Tom Tanner
 
 libpng versions 0.5, May 1995, through 0.88, January 1996, are
-Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.
+Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
 
 For the purposes of this copyright and license, "Contributing Authors"
 is defined as the following set of individuals:
@@ -80,13 +79,13 @@ Permission is hereby granted to use, copy, modify, and distribute this
 source code, or portions hereof, for any purpose, without fee, subject
 to the following restrictions:
 
-1. The origin of this source code must not be misrepresented.
+  1. The origin of this source code must not be misrepresented.
 
-2. Altered versions must be plainly marked as such and must not
-   be misrepresented as being the original source.
+  2. Altered versions must be plainly marked as such and must not
+     be misrepresented as being the original source.
 
-3. This Copyright notice may not be removed or altered from any
-   source or altered source distribution.
+  3. This Copyright notice may not be removed or altered from any
+     source or altered source distribution.
 
 The Contributing Authors and Group 42, Inc. specifically permit, without
 fee, and encourage the use of this source code as a component to
@@ -94,18 +93,20 @@ supporting the PNG file format in commercial products.  If you use this
 source code in a product, acknowledgment is not required but would be
 appreciated.
 
+END OF COPYRIGHT NOTICE, DISCLAIMER, and LICENSE.
 
 A "png_get_copyright" function is available, for convenient use in "about"
 boxes and the like:
 
-   printf("%s",png_get_copyright(NULL));
+   printf("%s", png_get_copyright(NULL));
 
 Also, the PNG logo (in PNG format, of course) is supplied in the
 files "pngbar.png" and "pngbar.jpg (88x31) and "pngnow.png" (98x31).
 
-Libpng is OSI Certified Open Source Software.  OSI Certified Open Source is a
-certification mark of the Open Source Initiative.
+Libpng is OSI Certified Open Source Software.  OSI Certified Open Source is
+a certification mark of the Open Source Initiative. OSI has not addressed
+the additional disclaimers inserted at version 1.0.7.
 
 Glenn Randers-Pehrson
 glennrp at users.sourceforge.net
-December 22, 2014
+December 3, 2015

src/share/native/sun/awt/libpng/README

-README for libpng version 1.6.16 - December 22, 2014 (shared library 16.0)
+README for libpng version 1.6.20 - December 3, 2015 (shared library 16.0)
 See the note about version numbers near the top of png.h
 
 See INSTALL for instructions on how to install libpng.
@@ -134,7 +134,7 @@ and ...".  If in doubt, send questions to me.  I'll bounce them
 to others, if necessary.
 
 Please do not send suggestions on how to change PNG.  We have
-been discussing PNG for nineteen years now, and it is official and
+been discussing PNG for twenty years now, and it is official and
 finished.  If you have suggestions for libpng, however, I'll
 gladly listen.  Even if your suggestion is not used immediately,
 it may be used later.

src/share/native/sun/awt/libpng/pngconf.h

@@ -29,9 +29,9 @@
  * However, the following notice accompanied the original version of this
  * file and, per its terms, should not be removed:
  *
- * libpng version 1.6.16,December 22, 2014
+ * libpng version 1.6.20, December 3, 2015
  *
- * Copyright (c) 1998-2014 Glenn Randers-Pehrson
+ * Copyright (c) 1998-2015 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  *
@@ -39,9 +39,7 @@
  * For conditions of distribution and use, see the disclaimer
  * and license in png.h
  *
- */
-
-/* Any machine specific code is near the front of this file, so if you
+ * Any machine specific code is near the front of this file, so if you
  * are configuring libpng for a machine, you may want to read the section
  * starting here down to where it starts to typedef png_color, png_text,
  * and png_info.
@@ -50,26 +48,6 @@
 #ifndef PNGCONF_H
 #define PNGCONF_H
 
-/* To do: Do all of this in scripts/pnglibconf.dfa */
-#ifdef PNG_SAFE_LIMITS_SUPPORTED
-#  ifdef PNG_USER_WIDTH_MAX
-#    undef PNG_USER_WIDTH_MAX
-#    define PNG_USER_WIDTH_MAX 1000000L
-#  endif
-#  ifdef PNG_USER_HEIGHT_MAX
-#    undef PNG_USER_HEIGHT_MAX
-#    define PNG_USER_HEIGHT_MAX 1000000L
-#  endif
-#  ifdef PNG_USER_CHUNK_MALLOC_MAX
-#    undef PNG_USER_CHUNK_MALLOC_MAX
-#    define PNG_USER_CHUNK_MALLOC_MAX 4000000L
-#  endif
-#  ifdef PNG_USER_CHUNK_CACHE_MAX
-#    undef PNG_USER_CHUNK_CACHE_MAX
-#    define PNG_USER_CHUNK_CACHE_MAX 128
-#  endif
-#endif
-
 #ifndef PNG_BUILDING_SYMBOL_TABLE /* else includes may cause problems */
 
 /* From libpng 1.6.0 libpng requires an ANSI X3.159-1989 ("ISOC90") compliant C
@@ -113,7 +91,7 @@
  */
 #define PNG_CONST const /* backward compatibility only */
 
-/* This controls optimization of the reading of 16 and 32 bit values
+/* This controls optimization of the reading of 16-bit and 32-bit values
  * from PNG files.  It can be set on a per-app-file basis - it
  * just changes whether a macro is used when the function is called.
  * The library builder sets the default; if read functions are not
@@ -345,11 +323,11 @@
     * table entries, so we discard it here.  See the .dfn files in the
     * scripts directory.
     */
-#ifndef PNG_EXPORTA
 
-#  define PNG_EXPORTA(ordinal, type, name, args, attributes)\
-      PNG_FUNCTION(PNG_EXPORT_TYPE(type),(PNGAPI name),PNGARG(args), \
-        extern attributes)
+#ifndef PNG_EXPORTA
+#  define PNG_EXPORTA(ordinal, type, name, args, attributes) \
+      PNG_FUNCTION(PNG_EXPORT_TYPE(type), (PNGAPI name), PNGARG(args), \
+      PNG_LINKAGE_API attributes)
 #endif
 
 /* ANSI-C (C90) does not permit a macro to be invoked with an empty argument,
@@ -357,7 +335,7 @@
  */
 #define PNG_EMPTY /*empty list*/
 
-#define PNG_EXPORT(ordinal, type, name, args)\
+#define PNG_EXPORT(ordinal, type, name, args) \
    PNG_EXPORTA(ordinal, type, name, args, PNG_EMPTY)
 
 /* Use PNG_REMOVED to comment out a removed interface. */
@@ -530,7 +508,7 @@
 #if CHAR_BIT == 8 && UCHAR_MAX == 255
    typedef unsigned char png_byte;
 #else
-#  error "libpng requires 8 bit bytes"
+#  error "libpng requires 8-bit bytes"
 #endif
 
 #if INT_MIN == -32768 && INT_MAX == 32767
@@ -538,7 +516,7 @@
 #elif SHRT_MIN == -32768 && SHRT_MAX == 32767
    typedef short png_int_16;
 #else
-#  error "libpng requires a signed 16 bit type"
+#  error "libpng requires a signed 16-bit type"
 #endif
 
 #if UINT_MAX == 65535
@@ -546,7 +524,7 @@
 #elif USHRT_MAX == 65535
    typedef unsigned short png_uint_16;
 #else
-#  error "libpng requires an unsigned 16 bit type"
+#  error "libpng requires an unsigned 16-bit type"
 #endif
 
 #if INT_MIN < -2147483646 && INT_MAX > 2147483646
@@ -554,7 +532,7 @@
 #elif LONG_MIN < -2147483646 && LONG_MAX > 2147483646
    typedef long int png_int_32;
 #else
-#  error "libpng requires a signed 32 bit (or more) type"
+#  error "libpng requires a signed 32-bit (or more) type"
 #endif
 
 #if UINT_MAX > 4294967294
@@ -562,7 +540,7 @@
 #elif ULONG_MAX > 4294967294
    typedef unsigned long int png_uint_32;
 #else
-#  error "libpng requires an unsigned 32 bit (or more) type"
+#  error "libpng requires an unsigned 32-bit (or more) type"
 #endif
 
 /* Prior to 1.6.0 it was possible to disable the use of size_t, 1.6.0, however,

src/share/native/sun/awt/libpng/pngdebug.h

@@ -29,12 +29,11 @@
  * However, the following notice accompanied the original version of this
  * file and, per its terms, should not be removed:
  *
+ * Last changed in libpng 1.6.8 [December 19, 2013]
  * Copyright (c) 1998-2013 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  *
- * Last changed in libpng 1.6.8 [December 19, 2013]
- *
  * This code is released under the libpng license.
  * For conditions of distribution and use, see the disclaimer
  * and license in png.h

src/share/native/sun/awt/libpng/pngget.c

@@ -29,8 +29,8 @@
  * However, the following notice accompanied the original version of this
  * file and, per its terms, should not be removed:
  *
- * Last changed in libpng 1.6.15 [November 20, 2014]
- * Copyright (c) 1998-2014 Glenn Randers-Pehrson
+ * Last changed in libpng 1.6.17 [March 26, 2015]
+ * Copyright (c) 1998-2015 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  *
@@ -827,14 +827,20 @@ png_get_IHDR(png_const_structrp png_ptr, png_const_inforp info_ptr,
 {
    png_debug1(1, "in %s retrieval function", "IHDR");
 
-   if (png_ptr == NULL || info_ptr == NULL || width == NULL ||
-       height == NULL || bit_depth == NULL || color_type == NULL)
+   if (png_ptr == NULL || info_ptr == NULL)
       return (0);
 
-   *width = info_ptr->width;
-   *height = info_ptr->height;
-   *bit_depth = info_ptr->bit_depth;
-   *color_type = info_ptr->color_type;
+   if (width != NULL)
+       *width = info_ptr->width;
+
+   if (height != NULL)
+       *height = info_ptr->height;
+
+   if (bit_depth != NULL)
+       *bit_depth = info_ptr->bit_depth;
+
+   if (color_type != NULL)
+       *color_type = info_ptr->color_type;
 
    if (compression_type != NULL)
       *compression_type = info_ptr->compression_type;
@@ -1163,21 +1169,21 @@ png_get_compression_buffer_size(png_const_structrp png_ptr)
    if (png_ptr == NULL)
       return 0;
 
-#  ifdef PNG_WRITE_SUPPORTED
+#ifdef PNG_WRITE_SUPPORTED
       if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0)
-#  endif
+#endif
    {
-#     ifdef PNG_SEQUENTIAL_READ_SUPPORTED
+#ifdef PNG_SEQUENTIAL_READ_SUPPORTED
          return png_ptr->IDAT_read_size;
-#     else
+#else
          return PNG_IDAT_READ_SIZE;
-#     endif
+#endif
    }
 
-#  ifdef PNG_WRITE_SUPPORTED
+#ifdef PNG_WRITE_SUPPORTED
       else
          return png_ptr->zbuffer_size;
-#  endif
+#endif
 }
 
 #ifdef PNG_SET_USER_LIMITS_SUPPORTED

src/share/native/sun/awt/libpng/pnginfo.h

@@ -29,12 +29,11 @@
  * However, the following notice accompanied the original version of this
  * file and, per its terms, should not be removed:
  *
+ * Last changed in libpng 1.6.1 [March 28, 2013]
  * Copyright (c) 1998-2013 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  *
- * Last changed in libpng 1.6.1 [March 28, 2013]
- *
  * This code is released under the libpng license.
  * For conditions of distribution and use, see the disclaimer
  * and license in png.h

src/share/native/sun/awt/libpng/pnglibconf.h

@@ -34,7 +34,7 @@
  * file and, per its terms, should not be removed:
  */
 
-/* libpng version 1.6.16,December 22, 2014 */
+/* libpng version 1.6.20, December 3, 2015 */
 
 /* Copyright (c) 1998-2014 Glenn Randers-Pehrson */
 
@@ -129,13 +129,10 @@
 #define PNG_READ_tIME_SUPPORTED
 #define PNG_READ_tRNS_SUPPORTED
 #define PNG_READ_zTXt_SUPPORTED
-/*#undef PNG_SAFE_LIMITS_SUPPORTED*/
 /*#undef PNG_SAVE_INT_32_SUPPORTED*/
 #define PNG_SAVE_UNKNOWN_CHUNKS_SUPPORTED
 #define PNG_SEQUENTIAL_READ_SUPPORTED
 #define PNG_SETJMP_SUPPORTED
-#define PNG_SET_CHUNK_CACHE_LIMIT_SUPPORTED
-#define PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED
 #define PNG_SET_OPTION_SUPPORTED
 #define PNG_SET_UNKNOWN_CHUNKS_SUPPORTED
 #define PNG_SET_USER_LIMITS_SUPPORTED
@@ -161,6 +158,7 @@
 /*#undef PNG_WRITE_BGR_SUPPORTED*/
 /*#undef PNG_WRITE_CHECK_FOR_INVALID_INDEX_SUPPORTED*/
 /*#undef PNG_WRITE_COMPRESSED_TEXT_SUPPORTED*/
+/*#undef PNG_WRITE_CUSTOMIZE_COMPRESSION_SUPPORTED*/
 /*#undef PNG_WRITE_CUSTOMIZE_ZTXT_COMPRESSION_SUPPORTED*/
 /*#undef PNG_WRITE_FILLER_SUPPORTED*/
 /*#undef PNG_WRITE_FILTER_SUPPORTED*/
@@ -219,11 +217,14 @@
 /* end of options */
 /* settings */
 #define PNG_API_RULE 0
-#define PNG_COST_SHIFT 3
 #define PNG_DEFAULT_READ_MACROS 1
 #define PNG_GAMMA_THRESHOLD_FIXED 5000
 #define PNG_IDAT_READ_SIZE PNG_ZBUF_SIZE
 #define PNG_INFLATE_BUF_SIZE 1024
+#define PNG_LINKAGE_API extern
+#define PNG_LINKAGE_CALLBACK extern
+#define PNG_LINKAGE_DATA extern
+#define PNG_LINKAGE_FUNCTION extern
 #define PNG_MAX_GAMMA_8 11
 #define PNG_QUANTIZE_BLUE_BITS 5
 #define PNG_QUANTIZE_GREEN_BITS 5
@@ -234,7 +235,6 @@
 #define PNG_USER_CHUNK_MALLOC_MAX 0
 #define PNG_USER_HEIGHT_MAX 1000000
 #define PNG_USER_WIDTH_MAX 1000000
-#define PNG_WEIGHT_SHIFT 8
 #define PNG_ZBUF_SIZE 8192
 #define PNG_ZLIB_VERNUM 0
 #define PNG_Z_DEFAULT_COMPRESSION (-1)

src/share/native/sun/awt/libpng/pngmem.c

@@ -69,7 +69,7 @@ png_destroy_png_struct(png_structrp png_ptr)
 }
 
 /* Allocate memory.  For reasonable files, size should never exceed
- * 64K.  However, zlib may allocate more then 64K if you don't tell
+ * 64K.  However, zlib may allocate more than 64K if you don't tell
  * it not to.  See zconf.h and png.h for more information.  zlib does
  * need to allocate exactly 64K, so whatever you call here must
  * have the ability to do that.
@@ -105,6 +105,9 @@ png_malloc_base,(png_const_structrp png_ptr, png_alloc_size_t size),
    PNG_UNUSED(png_ptr)
 #endif
 
+   /* Some compilers complain that this is always true.  However, it
+    * can be false when integer overflow happens.
+    */
    if (size > 0 && size <= PNG_SIZE_MAX
 #     ifdef PNG_MAX_MALLOC_64K
          && size <= 65536U

src/share/native/sun/awt/libpng/pngpread.c

@@ -29,8 +29,8 @@
  * However, the following notice accompanied the original version of this
  * file and, per its terms, should not be removed:
  *
- * Last changed in libpng 1.6.15 [November 20, 2014]
- * Copyright (c) 1998-2014 Glenn Randers-Pehrson
+ * Last changed in libpng 1.6.18 [July 23, 2015]
+ * Copyright (c) 1998-2015 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  *
@@ -47,7 +47,6 @@
 #define PNG_READ_SIG_MODE   0
 #define PNG_READ_CHUNK_MODE 1
 #define PNG_READ_IDAT_MODE  2
-#define PNG_SKIP_MODE       3
 #define PNG_READ_tEXt_MODE  4
 #define PNG_READ_zTXt_MODE  5
 #define PNG_READ_DONE_MODE  6
@@ -106,32 +105,14 @@ png_process_data_pause(png_structrp png_ptr, int save)
 png_uint_32 PNGAPI
 png_process_data_skip(png_structrp png_ptr)
 {
-   png_uint_32 remaining = 0;
-
-   if (png_ptr != NULL && png_ptr->process_mode == PNG_SKIP_MODE &&
-      png_ptr->skip_length > 0)
-   {
-      /* At the end of png_process_data the buffer size must be 0 (see the loop
-       * above) so we can detect a broken call here:
-       */
-      if (png_ptr->buffer_size != 0)
-         png_error(png_ptr,
-            "png_process_data_skip called inside png_process_data");
-
-      /* If is impossible for there to be a saved buffer at this point -
-       * otherwise we could not be in SKIP mode.  This will also happen if
-       * png_process_skip is called inside png_process_data (but only very
-       * rarely.)
-       */
-      if (png_ptr->save_buffer_size != 0)
-         png_error(png_ptr, "png_process_data_skip called with saved data");
-
-      remaining = png_ptr->skip_length;
-      png_ptr->skip_length = 0;
-      png_ptr->process_mode = PNG_READ_CHUNK_MODE;
-   }
-
-   return remaining;
+  /* TODO: Deprecate and remove this API.
+   * Somewhere the implementation of this seems to have been lost,
+   * or abandoned.  It was only to support some internal back-door access
+   * to png_struct) in libpng-1.4.x.
+   */
+   png_app_warning(png_ptr,
+"png_process_data_skip is not implemented in any current version of libpng");
+   return 0;
 }
 
 /* What we do with the incoming data depends on what we were previously
@@ -163,12 +144,6 @@ png_process_some_data(png_structrp png_ptr, png_inforp info_ptr)
          break;
       }
 
-      case PNG_SKIP_MODE:
-      {
-         png_push_crc_finish(png_ptr);
-         break;
-      }
-
       default:
       {
          png_ptr->buffer_size = 0;
@@ -187,7 +162,7 @@ void /* PRIVATE */
 png_push_read_sig(png_structrp png_ptr, png_inforp info_ptr)
 {
    png_size_t num_checked = png_ptr->sig_bytes, /* SAFE, does not exceed 8 */
-             num_to_check = 8 - num_checked;
+       num_to_check = 8 - num_checked;
 
    if (png_ptr->buffer_size < num_to_check)
    {
@@ -467,69 +442,6 @@ png_push_read_chunk(png_structrp png_ptr, png_inforp info_ptr)
    png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER;
 }
 
-void /* PRIVATE */
-png_push_crc_skip(png_structrp png_ptr, png_uint_32 skip)
-{
-   png_ptr->process_mode = PNG_SKIP_MODE;
-   png_ptr->skip_length = skip;
-}
-
-void /* PRIVATE */
-png_push_crc_finish(png_structrp png_ptr)
-{
-   if (png_ptr->skip_length != 0 && png_ptr->save_buffer_size != 0)
-   {
-      png_size_t save_size = png_ptr->save_buffer_size;
-      png_uint_32 skip_length = png_ptr->skip_length;
-
-      /* We want the smaller of 'skip_length' and 'save_buffer_size', but
-       * they are of different types and we don't know which variable has the
-       * fewest bits.  Carefully select the smaller and cast it to the type of
-       * the larger - this cannot overflow.  Do not cast in the following test
-       * - it will break on either 16 or 64 bit platforms.
-       */
-      if (skip_length < save_size)
-         save_size = (png_size_t)skip_length;
-
-      else
-         skip_length = (png_uint_32)save_size;
-
-      png_calculate_crc(png_ptr, png_ptr->save_buffer_ptr, save_size);
-
-      png_ptr->skip_length -= skip_length;
-      png_ptr->buffer_size -= save_size;
-      png_ptr->save_buffer_size -= save_size;
-      png_ptr->save_buffer_ptr += save_size;
-   }
-   if (png_ptr->skip_length != 0 && png_ptr->current_buffer_size != 0)
-   {
-      png_size_t save_size = png_ptr->current_buffer_size;
-      png_uint_32 skip_length = png_ptr->skip_length;
-
-      /* We want the smaller of 'skip_length' and 'current_buffer_size', here,
-       * the same problem exists as above and the same solution.
-       */
-      if (skip_length < save_size)
-         save_size = (png_size_t)skip_length;
-
-      else
-         skip_length = (png_uint_32)save_size;
-
-      png_calculate_crc(png_ptr, png_ptr->current_buffer_ptr, save_size);
-
-      png_ptr->skip_length -= skip_length;
-      png_ptr->buffer_size -= save_size;
-      png_ptr->current_buffer_size -= save_size;
-      png_ptr->current_buffer_ptr += save_size;
-   }
-   if (png_ptr->skip_length == 0)
-   {
-      PNG_PUSH_SAVE_BUFFER_IF_LT(4)
-      png_crc_finish(png_ptr, 0);
-      png_ptr->process_mode = PNG_READ_CHUNK_MODE;
-   }
-}
-
 void PNGCBAPI
 png_push_fill_buffer(png_structp png_ptr, png_bytep buffer, png_size_t length)
 {
@@ -612,13 +524,11 @@ png_push_save_buffer(png_structrp png_ptr)
       if (png_ptr->save_buffer == NULL)
       {
          png_free(png_ptr, old_buffer);
-         old_buffer = NULL;
          png_error(png_ptr, "Insufficient memory for save_buffer");
       }
 
       memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size);
       png_free(png_ptr, old_buffer);
-      old_buffer = NULL;
       png_ptr->save_buffer_max = new_max;
    }
    if (png_ptr->current_buffer_size)
@@ -681,7 +591,7 @@ png_push_read_IDAT(png_structrp png_ptr)
        * are of different types and we don't know which variable has the fewest
        * bits.  Carefully select the smaller and cast it to the type of the
        * larger - this cannot overflow.  Do not cast in the following test - it
-       * will break on either 16 or 64 bit platforms.
+       * will break on either 16-bit or 64-bit platforms.
        */
       if (idat_size < save_size)
          save_size = (png_size_t)idat_size;
@@ -724,6 +634,7 @@ png_push_read_IDAT(png_structrp png_ptr)
       png_ptr->current_buffer_size -= save_size;
       png_ptr->current_buffer_ptr += save_size;
    }
+
    if (png_ptr->idat_size == 0)
    {
       PNG_PUSH_SAVE_BUFFER_IF_LT(4)
@@ -754,7 +665,7 @@ png_process_IDAT_data(png_structrp png_ptr, png_bytep buffer,
     * or the stream marked as finished.
     */
    while (png_ptr->zstream.avail_in > 0 &&
-      !(png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED))
+      (png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0)
    {
       int ret;
 
@@ -779,7 +690,7 @@ png_process_IDAT_data(png_structrp png_ptr, png_bytep buffer,
        * change the current behavior (see comments in inflate.c
        * for why this doesn't happen at present with zlib 1.2.5).
        */
-      ret = inflate(&png_ptr->zstream, Z_SYNC_FLUSH);
+      ret = PNG_INFLATE(png_ptr, Z_SYNC_FLUSH);
 
       /* Check for any failure before proceeding. */
       if (ret != Z_OK && ret != Z_STREAM_END)
@@ -1064,6 +975,7 @@ png_push_process_row(png_structrp png_ptr)
       }
    }
    else
+#endif
    {
       png_push_have_row(png_ptr, png_ptr->row_buf + 1);
       png_read_push_finish_row(png_ptr);
@@ -1073,6 +985,7 @@ png_push_process_row(png_structrp png_ptr)
 void /* PRIVATE */
 png_read_push_finish_row(png_structrp png_ptr)
 {
+#ifdef PNG_READ_INTERLACING_SUPPORTED
    /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */
 
    /* Start of interlace block */
@@ -1097,6 +1010,7 @@ png_read_push_finish_row(png_structrp png_ptr)
    if (png_ptr->row_number < png_ptr->num_rows)
       return;
 
+#ifdef PNG_READ_INTERLACING_SUPPORTED
    if (png_ptr->interlaced != 0)
    {
       png_ptr->row_number = 0;
@@ -1131,6 +1045,7 @@ png_read_push_finish_row(png_structrp png_ptr)
 
       } while (png_ptr->iwidth == 0 || png_ptr->num_rows == 0);
    }
+#endif /* READ_INTERLACING */
 }
 
 void /* PRIVATE */
@@ -1155,6 +1070,7 @@ png_push_have_row(png_structrp png_ptr, png_bytep row)
          (int)png_ptr->pass);
 }
 
+#ifdef PNG_READ_INTERLACING_SUPPORTED
 void PNGAPI
 png_progressive_combine_row(png_const_structrp png_ptr, png_bytep old_row,
     png_const_bytep new_row)
@@ -1169,6 +1085,7 @@ png_progressive_combine_row(png_const_structrp png_ptr, png_bytep old_row,
    if (new_row != NULL)
       png_combine_row(png_ptr, old_row, 1/*blocky display*/);
 }
+#endif /* READ_INTERLACING */
 
 void PNGAPI
 png_set_progressive_read_fn(png_structrp png_ptr, png_voidp progressive_ptr,

src/share/native/sun/awt/libpng/pngpriv.h

@@ -29,13 +29,11 @@
  * However, the following notice accompanied the original version of this
  * file and, per its terms, should not be removed:
  *
- * For conditions of distribution and use, see copyright notice in png.h
- * Copyright (c) 1998-2014 Glenn Randers-Pehrson
+ * Last changed in libpng 1.6.18 [July 23, 2015]
+ * Copyright (c) 1998-2015 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  *
- * Last changed in libpng 1.6.10 [March 6, 1014]]
- *
  * This code is released under the libpng license.
  * For conditions of distribution and use, see the disclaimer
  * and license in png.h
@@ -148,8 +146,12 @@
     * to compile with an appropriate #error if ALIGNED_MEMORY has been turned
     * off.
     *
-    * Note that gcc-4.9 defines __ARM_NEON instead of __ARM_NEON__, so we
-    * check both variants.
+    * Note that gcc-4.9 defines __ARM_NEON instead of the deprecated
+    * __ARM_NEON__, so we check both variants.
+    *
+    * To disable ARM_NEON optimizations entirely, and skip compiling the
+    * associated assembler code, pass --enable-arm-neon=no to configure
+    * or put -DPNG_ARM_NEON_OPT=0 in CPPFLAGS.
     */
 #  if (defined(__ARM_NEON__) || defined(__ARM_NEON)) && \
    defined(PNG_ALIGNED_MEMORY_SUPPORTED)
@@ -278,17 +280,18 @@
  * always be used to declare an extern data or function object in this file.
  */
 #ifndef PNG_INTERNAL_DATA
-#  define PNG_INTERNAL_DATA(type, name, array) extern type name array
+#  define PNG_INTERNAL_DATA(type, name, array) PNG_LINKAGE_DATA type name array
 #endif
 
 #ifndef PNG_INTERNAL_FUNCTION
 #  define PNG_INTERNAL_FUNCTION(type, name, args, attributes)\
-      extern PNG_FUNCTION(type, name, args, PNG_EMPTY attributes)
+      PNG_LINKAGE_FUNCTION PNG_FUNCTION(type, name, args, PNG_EMPTY attributes)
 #endif
 
 #ifndef PNG_INTERNAL_CALLBACK
 #  define PNG_INTERNAL_CALLBACK(type, name, args, attributes)\
-      extern PNG_FUNCTION(type, (PNGCBAPI name), args, PNG_EMPTY attributes)
+      PNG_LINKAGE_CALLBACK PNG_FUNCTION(type, (PNGCBAPI name), args,\
+         PNG_EMPTY attributes)
 #endif
 
 /* If floating or fixed point APIs are disabled they may still be compiled
@@ -326,48 +329,27 @@
 #  define PNG_DLL_EXPORT
 #endif
 
-/* SECURITY and SAFETY:
+/* This is a global switch to set the compilation for an installed system
+ * (a release build).  It can be set for testing debug builds to ensure that
+ * they will compile when the build type is switched to RC or STABLE, the
+ * default is just to use PNG_LIBPNG_BUILD_BASE_TYPE.  Set this in CPPFLAGS
+ * with either:
  *
- * By default libpng is built without any internal limits on image size,
- * individual heap (png_malloc) allocations or the total amount of memory used.
- * If PNG_SAFE_LIMITS_SUPPORTED is defined, however, the limits below are used
- * (unless individually overridden).  These limits are believed to be fairly
- * safe, but builders of secure systems should verify the values against the
- * real system capabilities.
- */
-#ifdef PNG_SAFE_LIMITS_SUPPORTED
-   /* 'safe' limits */
-#  ifndef PNG_USER_WIDTH_MAX
-#     define PNG_USER_WIDTH_MAX 1000000
-#  endif
-#  ifndef PNG_USER_HEIGHT_MAX
-#     define PNG_USER_HEIGHT_MAX 1000000
-#  endif
-#  ifndef PNG_USER_CHUNK_CACHE_MAX
-#     define PNG_USER_CHUNK_CACHE_MAX 128
-#  endif
-#  ifndef PNG_USER_CHUNK_MALLOC_MAX
-#     define PNG_USER_CHUNK_MALLOC_MAX 8000000
-#  endif
-#else
-   /* values for no limits */
-#  ifndef PNG_USER_WIDTH_MAX
-#     define PNG_USER_WIDTH_MAX 0x7fffffff
-#  endif
-#  ifndef PNG_USER_HEIGHT_MAX
-#     define PNG_USER_HEIGHT_MAX 0x7fffffff
-#  endif
-#  ifndef PNG_USER_CHUNK_CACHE_MAX
-#     define PNG_USER_CHUNK_CACHE_MAX 0
-#  endif
-#  ifndef PNG_USER_CHUNK_MALLOC_MAX
-#     define PNG_USER_CHUNK_MALLOC_MAX 0
-#  endif
+ *   -DPNG_RELEASE_BUILD Turns on the release compile path
+ *   -DPNG_RELEASE_BUILD=0 Turns it off
+ * or in your pngusr.h with
+ *   #define PNG_RELEASE_BUILD=1 Turns on the release compile path
+ *   #define PNG_RELEASE_BUILD=0 Turns it off
+ */
+#ifndef PNG_RELEASE_BUILD
+#  define PNG_RELEASE_BUILD (PNG_LIBPNG_BUILD_BASE_TYPE >= PNG_LIBPNG_BUILD_RC)
 #endif
 
-/* Moved to pngpriv.h at libpng-1.5.0 */
-/* NOTE: some of these may have been used in external applications as
- * these definitions were exposed in pngconf.h prior to 1.5.
+/* SECURITY and SAFETY:
+ *
+ * libpng is built with support for internal limits on image dimensions and
+ * memory usage.  These are documented in scripts/pnglibconf.dfa of the
+ * source and recorded in the machine generated header file pnglibconf.h.
  */
 
 /* If you are running on a machine where you cannot allocate more
@@ -610,21 +592,17 @@
 #define PNG_RGB_TO_GRAY_WARN  0x400000
 #define PNG_RGB_TO_GRAY       0x600000 /* two bits, RGB_TO_GRAY_ERR|WARN */
 #define PNG_ENCODE_ALPHA      0x800000 /* Added to libpng-1.5.4 */
-#define PNG_ADD_ALPHA         0x1000000 /* Added to libpng-1.2.7 */
-#define PNG_EXPAND_tRNS       0x2000000 /* Added to libpng-1.2.9 */
-#define PNG_SCALE_16_TO_8     0x4000000 /* Added to libpng-1.5.4 */
-                       /*   0x8000000 unused */
-                       /*  0x10000000 unused */
-                       /*  0x20000000 unused */
-                       /*  0x40000000 unused */
+#define PNG_ADD_ALPHA        0x1000000 /* Added to libpng-1.2.7 */
+#define PNG_EXPAND_tRNS      0x2000000 /* Added to libpng-1.2.9 */
+#define PNG_SCALE_16_TO_8    0x4000000 /* Added to libpng-1.5.4 */
+                       /*    0x8000000 unused */
+                       /*   0x10000000 unused */
+                       /*   0x20000000 unused */
+                       /*   0x40000000 unused */
 /* Flags for png_create_struct */
 #define PNG_STRUCT_PNG   0x0001
 #define PNG_STRUCT_INFO  0x0002
 
-/* Scaling factor for filter heuristic weighting calculations */
-#define PNG_WEIGHT_FACTOR (1<<(PNG_WEIGHT_SHIFT))
-#define PNG_COST_FACTOR (1<<(PNG_COST_SHIFT))
-
 /* Flags for the png_ptr->flags rather than declaring a byte for each one */
 #define PNG_FLAG_ZLIB_CUSTOM_STRATEGY     0x0001
 #define PNG_FLAG_ZSTREAM_INITIALIZED      0x0002 /* Added to libpng-1.6.0 */
@@ -715,7 +693,7 @@
 /* The fixed point conversion performs range checking and evaluates
  * its argument multiple times, so must be used with care.  The
  * range checking uses the PNG specification values for a signed
- * 32 bit fixed point value except that the values are deliberately
+ * 32-bit fixed point value except that the values are deliberately
  * rounded-to-zero to an integral value - 21474 (21474.83 is roughly
  * (2^31-1) * 100000). 's' is a string that describes the value being
  * converted.
@@ -808,15 +786,17 @@
  * macro will fail on top-bit-set values because of the sign extension.
  */
 #define PNG_CHUNK_FROM_STRING(s)\
-   PNG_U32(0xff&(s)[0], 0xff&(s)[1], 0xff&(s)[2], 0xff&(s)[3])
+   PNG_U32(0xff & (s)[0], 0xff & (s)[1], 0xff & (s)[2], 0xff & (s)[3])
 
 /* This uses (char), not (png_byte) to avoid warnings on systems where (char) is
  * signed and the argument is a (char[])  This macro will fail miserably on
  * systems where (char) is more than 8 bits.
  */
 #define PNG_STRING_FROM_CHUNK(s,c)\
-   (void)(((char*)(s))[0]=(char)((c)>>24), ((char*)(s))[1]=(char)((c)>>16),\
-   ((char*)(s))[2]=(char)((c)>>8), ((char*)(s))[3]=(char)((c)))
+   (void)(((char*)(s))[0]=(char)(((c)>>24) & 0xff), \
+   ((char*)(s))[1]=(char)(((c)>>16) & 0xff),\
+   ((char*)(s))[2]=(char)(((c)>>8) & 0xff), \
+   ((char*)(s))[3]=(char)((c & 0xff)))
 
 /* Do the same but terminate with a null character. */
 #define PNG_CSTRING_FROM_CHUNK(s,c)\
@@ -860,7 +840,7 @@
     */
 #endif
 
-/* This is used for 16 bit gamma tables -- only the top level pointers are
+/* This is used for 16-bit gamma tables -- only the top level pointers are
  * const; this could be changed:
  */
 typedef const png_uint_16p * png_const_uint_16pp;
@@ -878,8 +858,9 @@ PNG_INTERNAL_DATA(const png_uint_16, png_sRGB_table, [256]);
 PNG_INTERNAL_DATA(const png_uint_16, png_sRGB_base, [512]);
 PNG_INTERNAL_DATA(const png_byte, png_sRGB_delta, [512]);
 
-#define PNG_sRGB_FROM_LINEAR(linear) ((png_byte)((png_sRGB_base[(linear)>>15] +\
-   ((((linear)&0x7fff)*png_sRGB_delta[(linear)>>15])>>12)) >> 8))
+#define PNG_sRGB_FROM_LINEAR(linear) \
+  ((png_byte)(0xff & ((png_sRGB_base[(linear)>>15] \
+   + ((((linear) & 0x7fff)*png_sRGB_delta[(linear)>>15])>>12)) >> 8)))
    /* Given a value 'linear' in the range 0..255*65535 calculate the 8-bit sRGB
     * encoded value with maximum error 0.646365.  Note that the input is not a
     * 16-bit value; it has been multiplied by 255! */
@@ -1262,6 +1243,14 @@ PNG_INTERNAL_FUNCTION(void,png_read_finish_row,(png_structrp png_ptr),
 /* Initialize the row buffers, etc. */
 PNG_INTERNAL_FUNCTION(void,png_read_start_row,(png_structrp png_ptr),PNG_EMPTY);
 
+#if PNG_ZLIB_VERNUM >= 0x1240
+PNG_INTERNAL_FUNCTION(int,png_zlib_inflate,(png_structrp png_ptr, int flush),
+      PNG_EMPTY);
+#  define PNG_INFLATE(pp, flush) png_zlib_inflate(pp, flush)
+#else /* Zlib < 1.2.4 */
+#  define PNG_INFLATE(pp, flush) inflate(&(pp)->zstream, flush)
+#endif /* Zlib < 1.2.4 */
+
 #ifdef PNG_READ_TRANSFORMS_SUPPORTED
 /* Optional call to update the users info structure */
 PNG_INTERNAL_FUNCTION(void,png_read_transform_info,(png_structrp png_ptr,
@@ -1436,10 +1425,6 @@ PNG_INTERNAL_FUNCTION(void,png_push_read_chunk,(png_structrp png_ptr,
 PNG_INTERNAL_FUNCTION(void,png_push_read_sig,(png_structrp png_ptr,
     png_inforp info_ptr),PNG_EMPTY);
 PNG_INTERNAL_FUNCTION(void,png_push_check_crc,(png_structrp png_ptr),PNG_EMPTY);
-PNG_INTERNAL_FUNCTION(void,png_push_crc_skip,(png_structrp png_ptr,
-    png_uint_32 length),PNG_EMPTY);
-PNG_INTERNAL_FUNCTION(void,png_push_crc_finish,(png_structrp png_ptr),
-    PNG_EMPTY);
 PNG_INTERNAL_FUNCTION(void,png_push_save_buffer,(png_structrp png_ptr),
     PNG_EMPTY);
 PNG_INTERNAL_FUNCTION(void,png_push_restore_buffer,(png_structrp png_ptr,

src/share/native/sun/awt/libpng/pngrio.c

@@ -29,8 +29,8 @@
  * However, the following notice accompanied the original version of this
  * file and, per its terms, should not be removed:
  *
- * Last changed in libpng 1.6.15 [November 20, 2014]
- * Copyright (c) 1998-2014 Glenn Randers-Pehrson
+ * Last changed in libpng 1.6.17 [March 26, 2015]
+ * Copyright (c) 1998-2015 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  *
@@ -54,7 +54,7 @@
  * reads from a file pointer.  Note that this routine sometimes gets called
  * with very small lengths, so you should implement some kind of simple
  * buffering if you are using unbuffered reads.  This should never be asked
- * to read more then 64K on a 16 bit machine.
+ * to read more than 64K on a 16-bit machine.
  */
 void /* PRIVATE */
 png_read_data(png_structrp png_ptr, png_bytep data, png_size_t length)

src/share/native/sun/awt/libpng/pngstruct.h

@@ -29,12 +29,11 @@
  * However, the following notice accompanied the original version of this
  * file and, per its terms, should not be removed:
  *
- * Copyright (c) 1998-2013 Glenn Randers-Pehrson
+ * Last changed in libpng 1.6.18 [July 23, 2015]
+ * Copyright (c) 1998-2015 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  *
- * Last changed in libpng 1.6.1 [March 28, 2013]
- *
  * This code is released under the libpng license.
  * For conditions of distribution and use, see the disclaimer
  * and license in png.h
@@ -129,7 +128,7 @@ typedef struct png_XYZ
 #endif /* COLORSPACE */
 
 #if defined(PNG_COLORSPACE_SUPPORTED) || defined(PNG_GAMMA_SUPPORTED)
-/* A colorspace is all the above plus, potentially, profile information,
+/* A colorspace is all the above plus, potentially, profile information;
  * however at present libpng does not use the profile internally so it is only
  * stored in the png_info struct (if iCCP is supported.)  The rendering intent
  * is retained here and is checked.
@@ -248,16 +247,18 @@ struct png_struct_def
    png_uint_32 row_number;    /* current row in interlace pass */
    png_uint_32 chunk_name;    /* PNG_CHUNK() id of current chunk */
    png_bytep prev_row;        /* buffer to save previous (unfiltered) row.
-                               * This is a pointer into big_prev_row
+                               * While reading this is a pointer into
+                               * big_prev_row; while writing it is separately
+                               * allocated if needed.
                                */
    png_bytep row_buf;         /* buffer to save current (unfiltered) row.
-                               * This is a pointer into big_row_buf
+                               * While reading, this is a pointer into
+                               * big_row_buf; while writing it is separately
+                               * allocated.
                                */
-#ifdef PNG_WRITE_SUPPORTED
-   png_bytep sub_row;         /* buffer to save "sub" row when filtering */
-   png_bytep up_row;          /* buffer to save "up" row when filtering */
-   png_bytep avg_row;         /* buffer to save "avg" row when filtering */
-   png_bytep paeth_row;       /* buffer to save "Paeth" row when filtering */
+#ifdef PNG_WRITE_FILTER_SUPPORTED
+   png_bytep try_row;    /* buffer to save trial row when filtering */
+   png_bytep tst_row;    /* buffer to save best trial row when filtering */
 #endif
    png_size_t info_rowbytes;  /* Added in 1.5.4: cache of updated row bytes */
 
@@ -290,6 +291,9 @@ struct png_struct_def
                               /* pixel depth used for the row buffers */
    png_byte transformed_pixel_depth;
                               /* pixel depth after read/write transforms */
+#if PNG_ZLIB_VERNUM >= 0x1240
+   png_byte zstream_start;    /* at start of an input zlib stream */
+#endif /* Zlib >= 1.2.4 */
 #if defined(PNG_READ_FILLER_SUPPORTED) || defined(PNG_WRITE_FILLER_SUPPORTED)
    png_uint_16 filler;           /* filler bytes for pixel expansion */
 #endif
@@ -375,17 +379,7 @@ struct png_struct_def
    png_bytep quantize_index; /* index translation for palette files */
 #endif
 
-#ifdef PNG_WRITE_WEIGHTED_FILTER_SUPPORTED
-   png_byte heuristic_method;        /* heuristic for row filter selection */
-   png_byte num_prev_filters;        /* number of weights for previous rows */
-   png_bytep prev_filters;           /* filter type(s) of previous row(s) */
-   png_uint_16p filter_weights;      /* weight(s) for previous line(s) */
-   png_uint_16p inv_filter_weights;  /* 1/weight(s) for previous line(s) */
-   png_uint_16p filter_costs;        /* relative filter calculation cost */
-   png_uint_16p inv_filter_costs;    /* 1/relative filter calculation cost */
-#endif
-
-   /* Options */
+/* Options */
 #ifdef PNG_SET_OPTION_SUPPORTED
    png_byte options;           /* On/off state (up to 4 options) */
 #endif

src/share/native/sun/awt/libpng/pngtrans.c

@@ -29,8 +29,8 @@
  * However, the following notice accompanied the original version of this
  * file and, per its terms, should not be removed:
  *
- * Last changed in libpng 1.6.15 [November 20, 2014]
- * Copyright (c) 1998-2014 Glenn Randers-Pehrson
+ * Last changed in libpng 1.6.18 [July 23, 2015]
+ * Copyright (c) 1998-2015 Glenn Randers-Pehrson
  * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
  * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
  *
@@ -58,7 +58,7 @@ png_set_bgr(png_structrp png_ptr)
 #endif
 
 #if defined(PNG_READ_SWAP_SUPPORTED) || defined(PNG_WRITE_SWAP_SUPPORTED)
-/* Turn on 16 bit byte swapping */
+/* Turn on 16-bit byte swapping */
 void PNGAPI
 png_set_swap(png_structrp png_ptr)
 {
@@ -341,7 +341,7 @@ png_do_invert(png_row_infop row_info, png_bytep row)
 
 #ifdef PNG_16BIT_SUPPORTED
 #if defined(PNG_READ_SWAP_SUPPORTED) || defined(PNG_WRITE_SWAP_SUPPORTED)
-/* Swaps byte order on 16 bit depth images */
+/* Swaps byte order on 16-bit depth images */
 void /* PRIVATE */
 png_do_swap(png_row_infop row_info, png_bytep row)
 {
@@ -732,7 +732,7 @@ png_do_check_palette_indexes(png_structrp png_ptr, png_row_infop row_info)
              */
             for (; rp > png_ptr->row_buf; rp--)
             {
-              if (*rp >> padding != 0)
+              if ((*rp >> padding) != 0)
                  png_ptr->num_palette_max = 1;
               padding = 0;
             }

src/share/native/sun/awt/libpng/pngwio.c

@@ -54,7 +54,7 @@
  * writes to a file pointer.  Note that this routine sometimes gets called
  * with very small lengths, so you should implement some kind of simple
  * buffering if you are using unbuffered writes.  This should never be asked
- * to write more than 64K on a 16 bit machine.
+ * to write more than 64K on a 16-bit machine.
  */
 
 void /* PRIVATE */

src/share/native/sun/awt/splashscreen/splashscreen_png.c

@@ -103,6 +103,7 @@ SplashDecodePng(Splash * splash, png_rw_ptr read_func, void *io_ptr)
     if (png_get_gAMA(png_ptr, info_ptr, &gamma))
         png_set_gamma(png_ptr, 2.2, gamma);
 
+    png_set_interlace_handling(png_ptr);
     png_read_update_info(png_ptr, info_ptr);
 
     rowbytes = png_get_rowbytes(png_ptr, info_ptr);