80594853: Resolve parsing ambiguity

Reviewed-by: mullan, vinnie

80594853: Resolve parsing ambiguity
Reviewed-by: mullan, vinnie
bbb2b65e · weijun · 09315ed3 · bbb2b65e · bbb2b65e · bbb2b65e
3 changed file
--- a/src/share/classes/com/sun/jndi/ldap/BerDecoder.java
+++ b/src/share/classes/com/sun/jndi/ldap/BerDecoder.java
@@ -95,6 +95,9 @@ public final class BerDecoder extends Ber {
            for( int i = 0; i < lengthbyte; i++) {
                retval = (retval << 8) + (buf[offset++] & 0xff);
            }
+            if (retval < 0) {
+              throw new DecodeException("Invalid length bytes");
+            }
            return retval;
        } else {
            return lengthbyte;

--- a/src/share/classes/sun/security/util/DerIndefLenConverter.java
+++ b/src/share/classes/sun/security/util/DerIndefLenConverter.java
@@ -156,12 +156,18 @@ class DerIndefLenConverter {
        }
        if (isLongForm(lenByte)) {
            lenByte &= LEN_MASK;
-            if (lenByte > 4)
+            if (lenByte > 4) {
                throw new IOException("Too much data");
-            if ((dataSize - dataPos) < (lenByte + 1))
+            }
+            if ((dataSize - dataPos) < (lenByte + 1)) {
                throw new IOException("Too little data");
-            for (int i = 0; i < lenByte; i++)
+            }
+            for (int i = 0; i < lenByte; i++) {
                curLen = (curLen << 8) + (data[dataPos++] & 0xff);
+            }
+            if (curLen < 0) {
+                throw new IOException("Invalid length bytes");
+            }
        } else {
           curLen = (lenByte & LEN_MASK);
        }
@@ -188,10 +194,15 @@ class DerIndefLenConverter {
        }
        if (isLongForm(lenByte)) {
            lenByte &= LEN_MASK;
-            for (int i = 0; i < lenByte; i++)
+            for (int i = 0; i < lenByte; i++) {
                curLen = (curLen << 8) + (data[dataPos++] & 0xff);
-        } else
+            }
+            if (curLen < 0) {
+                throw new IOException("Invalid length bytes");
+            }
+        } else {
            curLen = (lenByte & LEN_MASK);
+        }
        writeLength(curLen);
        writeValue(curLen);
    }

--- a/src/share/classes/sun/security/util/DerInputStream.java
+++ b/src/share/classes/sun/security/util/DerInputStream.java
@@ -566,6 +566,10 @@ public class DerInputStream {
                value <<= 8;
                value += 0x0ff & in.read();
            }
+            if (value < 0) {
+                throw new IOException("DerInputStream.getLength(): "
+                        + "Invalid length bytes");
+            }
        }
        return value;
    }