Mercurial > hg > release > icedtea-1.9

view patches/security/icedtea-6792554.patch @ 1768:3a122c249dda

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Port latest security fixes from IcedTea6. 2009-04-06 Andrew John Hughes <ahughes@redhat.com> * Makefile.am: Add new patches. * patches/security/icedtea-6536193.patch, * patches/security/icedtea-6610888.patch, * patches/security/icedtea-6610896.patch, * patches/security/icedtea-6630639.patch, * patches/security/icedtea-6632886.patch, * patches/security/icedtea-6636360.patch, * patches/security/icedtea-6652463.patch, * patches/security/icedtea-6656633.patch, * patches/security/icedtea-6658158.patch, * patches/security/icedtea-6691246.patch, * patches/security/icedtea-6717680.patch, * patches/security/icedtea-6721651.patch, * patches/security/icedtea-6737315.patch, * patches/security/icedtea-6792554.patch, * patches/security/icedtea-6804996.patch, * patches/security/icedtea-6804997.patch, * patches/security/icedtea-6804998.patch: Security patches ported from IcedTea6.
author Andrew John Hughes <ahughes@redhat.com>
date Tue, 07 Apr 2009 01:02:17 +0100
parents
children
line wrap: on
line source

diff -Nru openjdk.orig/jdk/src/share/native/com/sun/java/util/jar/pack/bands.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/bands.cpp
--- openjdk.orig/jdk/src/share/native/com/sun/java/util/jar/pack/bands.cpp	2009-03-05 08:29:01.000000000 +0000
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/bands.cpp	2009-04-06 18:51:27.000000000 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2008 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2002-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -94,6 +94,7 @@
       assert(!valc->isMalloc);
     }
     xvs.init(u->rp, u->rplimit, valc);
+    CHECK;
     int X = xvs.getInt();
     if (valc->S() != 0) {
       assert(valc->min <= -256);
@@ -117,6 +118,7 @@
     byte XB_byte = (byte) XB;
     byte* XB_ptr = &XB_byte;
     cm.init(u->rp, u->rplimit, XB_ptr, 0, defc, length, null);
+    CHECK;
   } else {
     NOT_PRODUCT(byte* meta_rp0 = u->meta_rp);
     assert(u->meta_rp != null);
@@ -215,8 +217,19 @@
   if (length == 0)  return 0;
   if (total_memo > 0)  return total_memo-1;
   int total = getInt();
+  // overflow checks require that none of the addends are <0,
+  // and that the partial sums never overflow (wrap negative)
+  if (total < 0) {
+    abort("overflow detected");
+    return 0;
+  }
   for (int k = length-1; k > 0; k--) {
-    total += vs[0].getInt();
+    int prev_total = total;
+    total += vs[0].getInt(); 
+    if (total < prev_total) {
+      abort("overflow detected");
+      return 0;
+    }
   }
   rewind();
   total_memo = total+1;
diff -Nru openjdk.orig/jdk/src/share/native/com/sun/java/util/jar/pack/coding.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/coding.cpp
--- openjdk.orig/jdk/src/share/native/com/sun/java/util/jar/pack/coding.cpp	2009-03-05 08:29:01.000000000 +0000
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/coding.cpp	2009-04-06 18:51:43.000000000 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2008 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2002-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -814,6 +814,7 @@
     }
     band_rp = vs.rp;
   }
+  CHECK;
 
   // Get an accurate upper limit now.
   vs0.rplimit = band_rp;
diff -Nru openjdk.orig/jdk/src/share/native/com/sun/java/util/jar/pack/defines.h openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/defines.h
--- openjdk.orig/jdk/src/share/native/com/sun/java/util/jar/pack/defines.h	2009-04-06 18:38:11.000000000 +0100
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/defines.h	2009-04-06 18:51:06.000000000 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright 2001-2008 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2001-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -149,6 +149,8 @@
 #define CHECK_NULL_(y,p)        _CHECK_DO((p)==null, return y)
 #define CHECK_NULL_0(p)         _CHECK_DO((p)==null, return 0)
 
+#define CHECK_COUNT(t)          if (t < 0){abort("bad value count");} CHECK
+
 #define STR_TRUE   "true"
 #define STR_FALSE  "false"
 
diff -Nru openjdk.orig/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
--- openjdk.orig/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp	2009-03-05 08:29:01.000000000 +0000
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp	2009-04-06 18:53:46.000000000 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright 2001-2008 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2001-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -523,15 +523,40 @@
   enum {
     MAGIC_BYTES = 4,
     AH_LENGTH_0 = 3,  //minver, majver, options are outside of archive_size
+    AH_LENGTH_0_MAX = AH_LENGTH_0 + 1,  // options might have 2 bytes
     AH_LENGTH   = 26, //maximum archive header length (w/ all fields)
     // Length contributions from optional header fields:
     AH_FILE_HEADER_LEN = 5, // sizehi/lo/next/modtime/files
+    AH_ARCHIVE_SIZE_LEN = 2, // sizehi/lo only; part of AH_FILE_HEADER_LEN
     AH_CP_NUMBER_LEN = 4,  // int/float/long/double
     AH_SPECIAL_FORMAT_LEN = 2, // layouts/band-headers
     AH_LENGTH_MIN = AH_LENGTH
         -(AH_FILE_HEADER_LEN+AH_SPECIAL_FORMAT_LEN+AH_CP_NUMBER_LEN),
+    ARCHIVE_SIZE_MIN = AH_LENGTH_MIN - (AH_LENGTH_0 + AH_ARCHIVE_SIZE_LEN),
     FIRST_READ  = MAGIC_BYTES + AH_LENGTH_MIN
   };
+
+
+  assert(AH_LENGTH_MIN    == 15); // # of UNSIGNED5 fields required after archive_magic
+  assert(ARCHIVE_SIZE_MIN == 10); // # of UNSIGNED5 fields required after archive_size
+  // An absolute minimum null archive is magic[4], {minver,majver,options}[3],
+  // archive_size[0], cp_counts[8], class_counts[4], for a total of 19 bytes.
+  // (Note that archive_size is optional; it may be 0..10 bytes in length.)
+  // The first read must capture everything up through the options field.
+  // This happens to work even if {minver,majver,options} is a pathological
+  // 15 bytes long.  Legal pack files limit those three fields to 1+1+2 bytes.
+  assert(FIRST_READ >= MAGIC_BYTES + AH_LENGTH_0 * B_MAX);
+
+  // Up through archive_size, the largest possible archive header is
+  // magic[4], {minver,majver,options}[4], archive_size[10].
+  // (Note only the low 12 bits of options are allowed to be non-zero.)
+  // In order to parse archive_size, we need at least this many bytes
+  // in the first read.  Of course, if archive_size_hi is more than
+  // a byte, we probably will fail to allocate the buffer, since it
+  // will be many gigabytes long.  This is a practical, not an
+  // architectural limit to Pack200 archive sizes.
+  assert(FIRST_READ >= MAGIC_BYTES + AH_LENGTH_0_MAX + 2*B_MAX);
+
   bool foreign_buf = (read_input_fn == null);
   byte initbuf[(int)FIRST_READ + (int)C_SLOP + 200];  // 200 is for JAR I/O
   if (foreign_buf) {
@@ -547,7 +572,7 @@
     // There is no way to tell the caller that we used only part of them.
     // Therefore, the caller must use only a bare minimum of read-ahead.
     if (inbytes.len > FIRST_READ) {
-      abort("too much pushback");
+      abort("too much read-ahead");
       return;
     }
     input.set(initbuf, sizeof(initbuf));
@@ -557,7 +582,7 @@
     rplimit += inbytes.len;
     bytes_read += inbytes.len;
   }
-  // Read only 19 bytes, which is certain to contain #archive_size fields,
+  // Read only 19 bytes, which is certain to contain #archive_options fields,
   // but is certain not to overflow past the archive_header.
   input.b.len = FIRST_READ;
   if (!ensure_input(FIRST_READ))
@@ -630,8 +655,8 @@
   if ((archive_options & ~OPTION_LIMIT) != 0) {
     fprintf(errstrm, "Warning: Illegal archive options 0x%x\n",
             archive_options);
-    // Do not abort.  If the format really changes, version numbers will bump.
-    //abort("illegal archive options");
+    abort("illegal archive options");
+    return;
   }
 
   if ((archive_options & AO_HAVE_FILE_HEADERS) != 0) {
@@ -663,8 +688,17 @@
       return;
     }
   } else if (archive_size > 0) {
+    if (archive_size < ARCHIVE_SIZE_MIN) {
+      abort("impossible archive size");  // bad input data
+      return;
+    }
+    if (archive_size < header_size_1) {
+      abort("too much read-ahead");  // somehow we pre-fetched too much?
+      return;
+    }   
     input.set(U_NEW(byte, (size_t)(header_size_0 + archive_size + C_SLOP)),
               (size_t) header_size_0 + (size_t)archive_size);
+    CHECK;
     assert(input.limit()[0] == 0);
     // Move all the bytes we read initially into the real buffer.
     input.b.copyFrom(initbuf, header_size);
@@ -680,6 +714,7 @@
     rp = rplimit = input.base();
     // Set up input buffer as if we already read the header:
     input.b.copyFrom(initbuf, header_size);
+    CHECK;
     rplimit += header_size;
     while (ensure_input(input.limit() - rp)) {
       size_t dataSoFar = input_remaining();
@@ -715,8 +750,10 @@
 
   if ((archive_options & AO_HAVE_FILE_HEADERS) != 0) {
     archive_next_count = hdr.getInt();
+    CHECK_COUNT(archive_next_count);
     archive_modtime = hdr.getInt();
     file_count = hdr.getInt();
+    CHECK_COUNT(file_count);
     hdrVals += 3;
   } else {
     hdrValsSkipped += 3;
@@ -724,7 +761,9 @@
 
   if ((archive_options & AO_HAVE_SPECIAL_FORMATS) != 0) {
     band_headers_size = hdr.getInt();
+    CHECK_COUNT(band_headers_size);
     attr_definition_count = hdr.getInt();
+    CHECK_COUNT(attr_definition_count);
     hdrVals += 2;
   } else {
     hdrValsSkipped += 2;
@@ -744,13 +783,16 @@
       }
     }
     cp_counts[k] = hdr.getInt();
+    CHECK_COUNT(cp_counts[k]);
     hdrVals += 1;
   }
 
   ic_count = hdr.getInt();
+  CHECK_COUNT(ic_count);
   default_class_minver = hdr.getInt();
   default_class_majver = hdr.getInt();
   class_count = hdr.getInt();
+  CHECK_COUNT(class_count);
   hdrVals += 4;
 
   // done with archive_header
@@ -807,7 +849,6 @@
   bytes::of(band_headers.limit(), C_SLOP).clear(_meta_error);
 }
 
-
 void unpacker::finish() {
   if (verbose >= 1) {
     fprintf(errstrm,
@@ -2117,13 +2158,14 @@
 
   field_descr.readData(field_count);
   read_attrs(ATTR_CONTEXT_FIELD, field_count);
+  CHECK;
 
   method_descr.readData(method_count);
   read_attrs(ATTR_CONTEXT_METHOD, method_count);
-
   CHECK;
 
   read_attrs(ATTR_CONTEXT_CLASS, class_count);
+  CHECK;
 
   read_code_headers();
 
@@ -2150,10 +2192,12 @@
   assert(endsWith(xxx_flags_hi.name, "_flags_hi"));
   if (haveLongFlags)
     xxx_flags_hi.readData(obj_count);
+  CHECK;
 
   band& xxx_flags_lo = ad.xxx_flags_lo();
   assert(endsWith(xxx_flags_lo.name, "_flags_lo"));
   xxx_flags_lo.readData(obj_count);
+  CHECK;
 
   // pre-scan flags, counting occurrences of each index bit
   julong indexMask = ad.flagIndexMask();  // which flag bits are index bits?
@@ -2176,11 +2220,13 @@
   assert(endsWith(xxx_attr_count.name, "_attr_count"));
   // There is one count element for each 1<<16 bit set in flags:
   xxx_attr_count.readData(ad.predefCount(X_ATTR_OVERFLOW));
+  CHECK;
 
   band& xxx_attr_indexes = ad.xxx_attr_indexes();
   assert(endsWith(xxx_attr_indexes.name, "_attr_indexes"));
   int overflowIndexCount = xxx_attr_count.getIntTotal();
   xxx_attr_indexes.readData(overflowIndexCount);
+  CHECK;
   // pre-scan attr indexes, counting occurrences of each value
   for (i = 0; i < overflowIndexCount; i++) {
     idx = xxx_attr_indexes.getInt();
@@ -2211,6 +2257,7 @@
     }
   }
   ad.xxx_attr_calls().readData(backwardCounts);
+  CHECK;
 
   // Read built-in bands.
   // Mostly, these are hand-coded equivalents to readBandData().
@@ -2219,42 +2266,53 @@
 
     count = ad.predefCount(CLASS_ATTR_SourceFile);
     class_SourceFile_RUN.readData(count);
+    CHECK;
 
     count = ad.predefCount(CLASS_ATTR_EnclosingMethod);
     class_EnclosingMethod_RC.readData(count);
     class_EnclosingMethod_RDN.readData(count);
+    CHECK;
 
     count = ad.predefCount(X_ATTR_Signature);
     class_Signature_RS.readData(count);
+    CHECK;
 
     ad.readBandData(X_ATTR_RuntimeVisibleAnnotations);
     ad.readBandData(X_ATTR_RuntimeInvisibleAnnotations);
 
     count = ad.predefCount(CLASS_ATTR_InnerClasses);
     class_InnerClasses_N.readData(count);
+    CHECK;
+
     count = class_InnerClasses_N.getIntTotal();
     class_InnerClasses_RC.readData(count);
     class_InnerClasses_F.readData(count);
+    CHECK;
     // Drop remaining columns wherever flags are zero:
     count -= class_InnerClasses_F.getIntCount(0);
     class_InnerClasses_outer_RCN.readData(count);
     class_InnerClasses_name_RUN.readData(count);
+    CHECK;
 
     count = ad.predefCount(CLASS_ATTR_ClassFile_version);
     class_ClassFile_version_minor_H.readData(count);
     class_ClassFile_version_major_H.readData(count);
+    CHECK;
     break;
 
   case ATTR_CONTEXT_FIELD:
 
     count = ad.predefCount(FIELD_ATTR_ConstantValue);
     field_ConstantValue_KQ.readData(count);
+    CHECK;
 
     count = ad.predefCount(X_ATTR_Signature);
     field_Signature_RS.readData(count);
+    CHECK;
 
     ad.readBandData(X_ATTR_RuntimeVisibleAnnotations);
     ad.readBandData(X_ATTR_RuntimeInvisibleAnnotations);
+    CHECK;
     break;
 
   case ATTR_CONTEXT_METHOD:
@@ -2266,15 +2324,18 @@
     method_Exceptions_N.readData(count);
     count = method_Exceptions_N.getIntTotal();
     method_Exceptions_RC.readData(count);
+    CHECK;
 
     count = ad.predefCount(X_ATTR_Signature);
     method_Signature_RS.readData(count);
+    CHECK;
 
     ad.readBandData(X_ATTR_RuntimeVisibleAnnotations);
     ad.readBandData(X_ATTR_RuntimeInvisibleAnnotations);
     ad.readBandData(METHOD_ATTR_RuntimeVisibleParameterAnnotations);
     ad.readBandData(METHOD_ATTR_RuntimeInvisibleParameterAnnotations);
     ad.readBandData(METHOD_ATTR_AnnotationDefault);
+    CHECK;
     break;
 
   case ATTR_CONTEXT_CODE:
@@ -2286,8 +2347,10 @@
       return;
     }
     code_StackMapTable_N.readData(count);
+    CHECK;
     count = code_StackMapTable_N.getIntTotal();
     code_StackMapTable_frame_T.readData(count);
+    CHECK;
     // the rest of it depends in a complicated way on frame tags
     {
       int fat_frame_count = 0;
@@ -2321,18 +2384,23 @@
       // deal completely with fat frames:
       offset_count += fat_frame_count;
       code_StackMapTable_local_N.readData(fat_frame_count);
+      CHECK;
       type_count += code_StackMapTable_local_N.getIntTotal();
       code_StackMapTable_stack_N.readData(fat_frame_count);
       type_count += code_StackMapTable_stack_N.getIntTotal();
+      CHECK;
       // read the rest:
       code_StackMapTable_offset.readData(offset_count);
       code_StackMapTable_T.readData(type_count);
+      CHECK;
       // (7) [RCH]
       count = code_StackMapTable_T.getIntCount(7);
       code_StackMapTable_RC.readData(count);
+      CHECK;
       // (8) [PH]
       count = code_StackMapTable_T.getIntCount(8);
       code_StackMapTable_P.readData(count);
+      CHECK;
     }
 
     count = ad.predefCount(CODE_ATTR_LineNumberTable);
@@ -2654,6 +2722,8 @@
   code_max_na_locals.readData();
   code_handler_count.readData();
   totalHandlerCount += code_handler_count.getIntTotal();
+  CHECK;
+
 
   // Read handler specifications.
   // Cf. PackageReader.readCodeHandlers.
@@ -2661,8 +2731,10 @@
   code_handler_end_PO.readData(totalHandlerCount);
   code_handler_catch_PO.readData(totalHandlerCount);
   code_handler_class_RCN.readData(totalHandlerCount);
+  CHECK;
 
   read_attrs(ATTR_CONTEXT_CODE, totalFlagsCount);
+  CHECK;
 }
 
 static inline bool is_in_range(uint n, uint min, uint max) {