Mercurial > hg > release > icedtea-1.9
view patches/security/icedtea-6792554.patch @ 1768:3a122c249dda
Port latest security fixes from IcedTea6.
2009-04-06 Andrew John Hughes <ahughes@redhat.com>
* Makefile.am:
Add new patches.
* patches/security/icedtea-6536193.patch,
* patches/security/icedtea-6610888.patch,
* patches/security/icedtea-6610896.patch,
* patches/security/icedtea-6630639.patch,
* patches/security/icedtea-6632886.patch,
* patches/security/icedtea-6636360.patch,
* patches/security/icedtea-6652463.patch,
* patches/security/icedtea-6656633.patch,
* patches/security/icedtea-6658158.patch,
* patches/security/icedtea-6691246.patch,
* patches/security/icedtea-6717680.patch,
* patches/security/icedtea-6721651.patch,
* patches/security/icedtea-6737315.patch,
* patches/security/icedtea-6792554.patch,
* patches/security/icedtea-6804996.patch,
* patches/security/icedtea-6804997.patch,
* patches/security/icedtea-6804998.patch:
Security patches ported from IcedTea6.
author | Andrew John Hughes <ahughes@redhat.com> |
---|---|
date | Tue, 07 Apr 2009 01:02:17 +0100 |
parents | |
children |
line wrap: on
line source
diff -Nru openjdk.orig/jdk/src/share/native/com/sun/java/util/jar/pack/bands.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/bands.cpp --- openjdk.orig/jdk/src/share/native/com/sun/java/util/jar/pack/bands.cpp 2009-03-05 08:29:01.000000000 +0000 +++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/bands.cpp 2009-04-06 18:51:27.000000000 +0100 @@ -1,5 +1,5 @@ /* - * Copyright 2002-2008 Sun Microsystems, Inc. All Rights Reserved. + * Copyright 2002-2009 Sun Microsystems, Inc. All Rights Reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -94,6 +94,7 @@ assert(!valc->isMalloc); } xvs.init(u->rp, u->rplimit, valc); + CHECK; int X = xvs.getInt(); if (valc->S() != 0) { assert(valc->min <= -256); @@ -117,6 +118,7 @@ byte XB_byte = (byte) XB; byte* XB_ptr = &XB_byte; cm.init(u->rp, u->rplimit, XB_ptr, 0, defc, length, null); + CHECK; } else { NOT_PRODUCT(byte* meta_rp0 = u->meta_rp); assert(u->meta_rp != null); @@ -215,8 +217,19 @@ if (length == 0) return 0; if (total_memo > 0) return total_memo-1; int total = getInt(); + // overflow checks require that none of the addends are <0, + // and that the partial sums never overflow (wrap negative) + if (total < 0) { + abort("overflow detected"); + return 0; + } for (int k = length-1; k > 0; k--) { - total += vs[0].getInt(); + int prev_total = total; + total += vs[0].getInt(); + if (total < prev_total) { + abort("overflow detected"); + return 0; + } } rewind(); total_memo = total+1; diff -Nru openjdk.orig/jdk/src/share/native/com/sun/java/util/jar/pack/coding.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/coding.cpp --- openjdk.orig/jdk/src/share/native/com/sun/java/util/jar/pack/coding.cpp 2009-03-05 08:29:01.000000000 +0000 +++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/coding.cpp 2009-04-06 18:51:43.000000000 +0100 @@ -1,5 +1,5 @@ /* - * Copyright 2002-2008 Sun Microsystems, Inc. All Rights Reserved. + * Copyright 2002-2009 Sun Microsystems, Inc. All Rights Reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -814,6 +814,7 @@ } band_rp = vs.rp; } + CHECK; // Get an accurate upper limit now. vs0.rplimit = band_rp; diff -Nru openjdk.orig/jdk/src/share/native/com/sun/java/util/jar/pack/defines.h openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/defines.h --- openjdk.orig/jdk/src/share/native/com/sun/java/util/jar/pack/defines.h 2009-04-06 18:38:11.000000000 +0100 +++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/defines.h 2009-04-06 18:51:06.000000000 +0100 @@ -1,5 +1,5 @@ /* - * Copyright 2001-2008 Sun Microsystems, Inc. All Rights Reserved. + * Copyright 2001-2009 Sun Microsystems, Inc. All Rights Reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -149,6 +149,8 @@ #define CHECK_NULL_(y,p) _CHECK_DO((p)==null, return y) #define CHECK_NULL_0(p) _CHECK_DO((p)==null, return 0) +#define CHECK_COUNT(t) if (t < 0){abort("bad value count");} CHECK + #define STR_TRUE "true" #define STR_FALSE "false" diff -Nru openjdk.orig/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp --- openjdk.orig/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp 2009-03-05 08:29:01.000000000 +0000 +++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp 2009-04-06 18:53:46.000000000 +0100 @@ -1,5 +1,5 @@ /* - * Copyright 2001-2008 Sun Microsystems, Inc. All Rights Reserved. + * Copyright 2001-2009 Sun Microsystems, Inc. All Rights Reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -523,15 +523,40 @@ enum { MAGIC_BYTES = 4, AH_LENGTH_0 = 3, //minver, majver, options are outside of archive_size + AH_LENGTH_0_MAX = AH_LENGTH_0 + 1, // options might have 2 bytes AH_LENGTH = 26, //maximum archive header length (w/ all fields) // Length contributions from optional header fields: AH_FILE_HEADER_LEN = 5, // sizehi/lo/next/modtime/files + AH_ARCHIVE_SIZE_LEN = 2, // sizehi/lo only; part of AH_FILE_HEADER_LEN AH_CP_NUMBER_LEN = 4, // int/float/long/double AH_SPECIAL_FORMAT_LEN = 2, // layouts/band-headers AH_LENGTH_MIN = AH_LENGTH -(AH_FILE_HEADER_LEN+AH_SPECIAL_FORMAT_LEN+AH_CP_NUMBER_LEN), + ARCHIVE_SIZE_MIN = AH_LENGTH_MIN - (AH_LENGTH_0 + AH_ARCHIVE_SIZE_LEN), FIRST_READ = MAGIC_BYTES + AH_LENGTH_MIN }; + + + assert(AH_LENGTH_MIN == 15); // # of UNSIGNED5 fields required after archive_magic + assert(ARCHIVE_SIZE_MIN == 10); // # of UNSIGNED5 fields required after archive_size + // An absolute minimum null archive is magic[4], {minver,majver,options}[3], + // archive_size[0], cp_counts[8], class_counts[4], for a total of 19 bytes. + // (Note that archive_size is optional; it may be 0..10 bytes in length.) + // The first read must capture everything up through the options field. + // This happens to work even if {minver,majver,options} is a pathological + // 15 bytes long. Legal pack files limit those three fields to 1+1+2 bytes. + assert(FIRST_READ >= MAGIC_BYTES + AH_LENGTH_0 * B_MAX); + + // Up through archive_size, the largest possible archive header is + // magic[4], {minver,majver,options}[4], archive_size[10]. + // (Note only the low 12 bits of options are allowed to be non-zero.) + // In order to parse archive_size, we need at least this many bytes + // in the first read. Of course, if archive_size_hi is more than + // a byte, we probably will fail to allocate the buffer, since it + // will be many gigabytes long. This is a practical, not an + // architectural limit to Pack200 archive sizes. + assert(FIRST_READ >= MAGIC_BYTES + AH_LENGTH_0_MAX + 2*B_MAX); + bool foreign_buf = (read_input_fn == null); byte initbuf[(int)FIRST_READ + (int)C_SLOP + 200]; // 200 is for JAR I/O if (foreign_buf) { @@ -547,7 +572,7 @@ // There is no way to tell the caller that we used only part of them. // Therefore, the caller must use only a bare minimum of read-ahead. if (inbytes.len > FIRST_READ) { - abort("too much pushback"); + abort("too much read-ahead"); return; } input.set(initbuf, sizeof(initbuf)); @@ -557,7 +582,7 @@ rplimit += inbytes.len; bytes_read += inbytes.len; } - // Read only 19 bytes, which is certain to contain #archive_size fields, + // Read only 19 bytes, which is certain to contain #archive_options fields, // but is certain not to overflow past the archive_header. input.b.len = FIRST_READ; if (!ensure_input(FIRST_READ)) @@ -630,8 +655,8 @@ if ((archive_options & ~OPTION_LIMIT) != 0) { fprintf(errstrm, "Warning: Illegal archive options 0x%x\n", archive_options); - // Do not abort. If the format really changes, version numbers will bump. - //abort("illegal archive options"); + abort("illegal archive options"); + return; } if ((archive_options & AO_HAVE_FILE_HEADERS) != 0) { @@ -663,8 +688,17 @@ return; } } else if (archive_size > 0) { + if (archive_size < ARCHIVE_SIZE_MIN) { + abort("impossible archive size"); // bad input data + return; + } + if (archive_size < header_size_1) { + abort("too much read-ahead"); // somehow we pre-fetched too much? + return; + } input.set(U_NEW(byte, (size_t)(header_size_0 + archive_size + C_SLOP)), (size_t) header_size_0 + (size_t)archive_size); + CHECK; assert(input.limit()[0] == 0); // Move all the bytes we read initially into the real buffer. input.b.copyFrom(initbuf, header_size); @@ -680,6 +714,7 @@ rp = rplimit = input.base(); // Set up input buffer as if we already read the header: input.b.copyFrom(initbuf, header_size); + CHECK; rplimit += header_size; while (ensure_input(input.limit() - rp)) { size_t dataSoFar = input_remaining(); @@ -715,8 +750,10 @@ if ((archive_options & AO_HAVE_FILE_HEADERS) != 0) { archive_next_count = hdr.getInt(); + CHECK_COUNT(archive_next_count); archive_modtime = hdr.getInt(); file_count = hdr.getInt(); + CHECK_COUNT(file_count); hdrVals += 3; } else { hdrValsSkipped += 3; @@ -724,7 +761,9 @@ if ((archive_options & AO_HAVE_SPECIAL_FORMATS) != 0) { band_headers_size = hdr.getInt(); + CHECK_COUNT(band_headers_size); attr_definition_count = hdr.getInt(); + CHECK_COUNT(attr_definition_count); hdrVals += 2; } else { hdrValsSkipped += 2; @@ -744,13 +783,16 @@ } } cp_counts[k] = hdr.getInt(); + CHECK_COUNT(cp_counts[k]); hdrVals += 1; } ic_count = hdr.getInt(); + CHECK_COUNT(ic_count); default_class_minver = hdr.getInt(); default_class_majver = hdr.getInt(); class_count = hdr.getInt(); + CHECK_COUNT(class_count); hdrVals += 4; // done with archive_header @@ -807,7 +849,6 @@ bytes::of(band_headers.limit(), C_SLOP).clear(_meta_error); } - void unpacker::finish() { if (verbose >= 1) { fprintf(errstrm, @@ -2117,13 +2158,14 @@ field_descr.readData(field_count); read_attrs(ATTR_CONTEXT_FIELD, field_count); + CHECK; method_descr.readData(method_count); read_attrs(ATTR_CONTEXT_METHOD, method_count); - CHECK; read_attrs(ATTR_CONTEXT_CLASS, class_count); + CHECK; read_code_headers(); @@ -2150,10 +2192,12 @@ assert(endsWith(xxx_flags_hi.name, "_flags_hi")); if (haveLongFlags) xxx_flags_hi.readData(obj_count); + CHECK; band& xxx_flags_lo = ad.xxx_flags_lo(); assert(endsWith(xxx_flags_lo.name, "_flags_lo")); xxx_flags_lo.readData(obj_count); + CHECK; // pre-scan flags, counting occurrences of each index bit julong indexMask = ad.flagIndexMask(); // which flag bits are index bits? @@ -2176,11 +2220,13 @@ assert(endsWith(xxx_attr_count.name, "_attr_count")); // There is one count element for each 1<<16 bit set in flags: xxx_attr_count.readData(ad.predefCount(X_ATTR_OVERFLOW)); + CHECK; band& xxx_attr_indexes = ad.xxx_attr_indexes(); assert(endsWith(xxx_attr_indexes.name, "_attr_indexes")); int overflowIndexCount = xxx_attr_count.getIntTotal(); xxx_attr_indexes.readData(overflowIndexCount); + CHECK; // pre-scan attr indexes, counting occurrences of each value for (i = 0; i < overflowIndexCount; i++) { idx = xxx_attr_indexes.getInt(); @@ -2211,6 +2257,7 @@ } } ad.xxx_attr_calls().readData(backwardCounts); + CHECK; // Read built-in bands. // Mostly, these are hand-coded equivalents to readBandData(). @@ -2219,42 +2266,53 @@ count = ad.predefCount(CLASS_ATTR_SourceFile); class_SourceFile_RUN.readData(count); + CHECK; count = ad.predefCount(CLASS_ATTR_EnclosingMethod); class_EnclosingMethod_RC.readData(count); class_EnclosingMethod_RDN.readData(count); + CHECK; count = ad.predefCount(X_ATTR_Signature); class_Signature_RS.readData(count); + CHECK; ad.readBandData(X_ATTR_RuntimeVisibleAnnotations); ad.readBandData(X_ATTR_RuntimeInvisibleAnnotations); count = ad.predefCount(CLASS_ATTR_InnerClasses); class_InnerClasses_N.readData(count); + CHECK; + count = class_InnerClasses_N.getIntTotal(); class_InnerClasses_RC.readData(count); class_InnerClasses_F.readData(count); + CHECK; // Drop remaining columns wherever flags are zero: count -= class_InnerClasses_F.getIntCount(0); class_InnerClasses_outer_RCN.readData(count); class_InnerClasses_name_RUN.readData(count); + CHECK; count = ad.predefCount(CLASS_ATTR_ClassFile_version); class_ClassFile_version_minor_H.readData(count); class_ClassFile_version_major_H.readData(count); + CHECK; break; case ATTR_CONTEXT_FIELD: count = ad.predefCount(FIELD_ATTR_ConstantValue); field_ConstantValue_KQ.readData(count); + CHECK; count = ad.predefCount(X_ATTR_Signature); field_Signature_RS.readData(count); + CHECK; ad.readBandData(X_ATTR_RuntimeVisibleAnnotations); ad.readBandData(X_ATTR_RuntimeInvisibleAnnotations); + CHECK; break; case ATTR_CONTEXT_METHOD: @@ -2266,15 +2324,18 @@ method_Exceptions_N.readData(count); count = method_Exceptions_N.getIntTotal(); method_Exceptions_RC.readData(count); + CHECK; count = ad.predefCount(X_ATTR_Signature); method_Signature_RS.readData(count); + CHECK; ad.readBandData(X_ATTR_RuntimeVisibleAnnotations); ad.readBandData(X_ATTR_RuntimeInvisibleAnnotations); ad.readBandData(METHOD_ATTR_RuntimeVisibleParameterAnnotations); ad.readBandData(METHOD_ATTR_RuntimeInvisibleParameterAnnotations); ad.readBandData(METHOD_ATTR_AnnotationDefault); + CHECK; break; case ATTR_CONTEXT_CODE: @@ -2286,8 +2347,10 @@ return; } code_StackMapTable_N.readData(count); + CHECK; count = code_StackMapTable_N.getIntTotal(); code_StackMapTable_frame_T.readData(count); + CHECK; // the rest of it depends in a complicated way on frame tags { int fat_frame_count = 0; @@ -2321,18 +2384,23 @@ // deal completely with fat frames: offset_count += fat_frame_count; code_StackMapTable_local_N.readData(fat_frame_count); + CHECK; type_count += code_StackMapTable_local_N.getIntTotal(); code_StackMapTable_stack_N.readData(fat_frame_count); type_count += code_StackMapTable_stack_N.getIntTotal(); + CHECK; // read the rest: code_StackMapTable_offset.readData(offset_count); code_StackMapTable_T.readData(type_count); + CHECK; // (7) [RCH] count = code_StackMapTable_T.getIntCount(7); code_StackMapTable_RC.readData(count); + CHECK; // (8) [PH] count = code_StackMapTable_T.getIntCount(8); code_StackMapTable_P.readData(count); + CHECK; } count = ad.predefCount(CODE_ATTR_LineNumberTable); @@ -2654,6 +2722,8 @@ code_max_na_locals.readData(); code_handler_count.readData(); totalHandlerCount += code_handler_count.getIntTotal(); + CHECK; + // Read handler specifications. // Cf. PackageReader.readCodeHandlers. @@ -2661,8 +2731,10 @@ code_handler_end_PO.readData(totalHandlerCount); code_handler_catch_PO.readData(totalHandlerCount); code_handler_class_RCN.readData(totalHandlerCount); + CHECK; read_attrs(ATTR_CONTEXT_CODE, totalFlagsCount); + CHECK; } static inline bool is_in_range(uint n, uint min, uint max) {