Mercurial > hg > release > icedtea6-1.9

view patches/security/20111018/7057857.patch @ 2352:941103576384

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Add first batch of security patches. S7000600, CVE-2011-3547: InputStream skip() information leak S7019773, CVE-2011-3548: mutable static AWTKeyStroke.ctor S7023640, CVE-2011-3551: Java2D TransformHelper integer overflow S7032417, CVE-2011-3552: excessive default UDP socket limit under SecurityManager S7046823, CVE-2011-3544: missing SecurityManager checks in scripting engine S7055902, CVE-2011-3521: IIOP deserialization code execution S7057857, CVE-2011-3554: insufficient pack200 JAR files uncompress error checks S7064341, CVE-2011-3389: JSSE S7070134, CVE-2011-3558: Hotspot unspecified issue S7077466, CVE-2011-3556: RMI DGC server remote code execution S7083012, CVE-2011-3557: RMI registry privileged code execution S7096936, CVE-2011-3560: missing checkSetFactory calls in HttpsURLConnection 2011-10-13 Andrew John Hughes <ahughes@redhat.com> * Makefile.am: Add patches. * NEWS: List security updates. * patches/icedtea-rhino.patch: Change after 7046823 is applied. * patches/security/20111018/7000600.patch, * patches/security/20111018/7019773.patch, * patches/security/20111018/7023640.patch, * patches/security/20111018/7032417.patch, * patches/security/20111018/7046823.patch, * patches/security/20111018/7055902.patch, * patches/security/20111018/7057857.patch, * patches/security/20111018/7064341.patch, * patches/security/20111018/7070134.patch, * patches/security/20111018/7083012.patch, * patches/security/20111018/7096936.patch: First batch of security patches.
author Andrew John Hughes <ahughes@redhat.com>
date Thu, 13 Oct 2011 15:04:46 +0100
parents
children
line wrap: on
line source

diff -Nru openjdk.orig/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp
--- openjdk.orig/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp	2010-06-21 22:15:40.000000000 +0100
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/unpack.cpp	2011-10-12 21:22:15.913976605 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2001, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2001, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -1088,11 +1088,14 @@
     uint size3 = suffix * 3;
     if (suffix == 0)  continue;  // done with empty string
     chars.malloc(size3);
+    CHECK;
     byte* chp = chars.ptr;
     band saved_band = cp_Utf8_big_chars;
     cp_Utf8_big_chars.readData(suffix);
+    CHECK;
     for (int j = 0; j < suffix; j++) {
       unsigned short ch = cp_Utf8_big_chars.getInt();
+      CHECK;
       chp = store_Utf8_char(chp, ch);
     }
     chars.realloc(chp - chars.ptr);
@@ -1110,10 +1113,12 @@
   CHECK;
   int prevlen = 0;  // previous string length (in chars)
   tmallocs.add(bigbuf.ptr);  // free after this block
+  CHECK;
   cp_Utf8_prefix.rewind();
   for (i = 0; i < len; i++) {
     bytes& chars = allsuffixes[i];
     int prefix = (i < PREFIX_SKIP_2)? 0: cp_Utf8_prefix.getInt();
+    CHECK;
     int suffix = chars.len;
     byte* fillp;
     // by induction, the buffer is already filled with the prefix
diff -Nru openjdk.orig/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp
--- openjdk.orig/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp	2010-06-21 22:15:40.000000000 +0100
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/utils.cpp	2011-10-12 21:21:58.833708543 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2001, 2008, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2001, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -52,7 +52,7 @@
   if (msize >= 0 && msize < sizeof(int))
     msize = sizeof(int);  // see 0xbaadf00d below
   #endif
-  void* ptr = (msize > PSIZE_MAX) ? null : malloc(msize);
+  void* ptr = (msize > PSIZE_MAX || msize <= 0) ? null : malloc(msize);
   if (ptr != null) {
     memset(ptr, 0, size);
   } else {
diff -Nru openjdk.orig/jdk/src/share/native/com/sun/java/util/jar/pack/utils.h openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/utils.h
--- openjdk.orig/jdk/src/share/native/com/sun/java/util/jar/pack/utils.h	2010-06-21 22:15:40.000000000 +0100
+++ openjdk/jdk/src/share/native/com/sun/java/util/jar/pack/utils.h	2011-10-12 21:21:58.841708669 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2001, 2008, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2001, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -33,7 +33,7 @@
 #endif
 
 // overflow management
-#define OVERFLOW ((size_t)-1)
+#define OVERFLOW ((uint)-1)
 #define PSIZE_MAX (OVERFLOW/2)  /* normal size limit */
 
 inline size_t scale_size(size_t size, size_t scale) {