Mercurial > hg > release > icedtea7-forest-2.0 > jdk

changeset 4571:8ebc1115d725

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
7057857, CVE-2011-3554: insufficient pack200 JAR files uncompress error checks
author andrew
date Fri, 14 Oct 2011 00:57:01 +0100
parents fc3acc1b4e55
children e88518dcf07c
files src/share/native/com/sun/java/util/jar/pack/unpack.cpp src/share/native/com/sun/java/util/jar/pack/utils.cpp src/share/native/com/sun/java/util/jar/pack/utils.h
diffstat 3 files changed, 8 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/native/com/sun/java/util/jar/pack/unpack.cpp	Fri Oct 14 00:54:56 2011 +0100
+++ b/src/share/native/com/sun/java/util/jar/pack/unpack.cpp	Fri Oct 14 00:57:01 2011 +0100
@@ -1112,9 +1112,11 @@
     uint size3 = suffix * 3;
     if (suffix == 0)  continue;  // done with empty string
     chars.malloc(size3);
+    CHECK;
     byte* chp = chars.ptr;
     band saved_band = cp_Utf8_big_chars;
     cp_Utf8_big_chars.readData(suffix);
+    CHECK;
     for (int j = 0; j < suffix; j++) {
       unsigned short ch = cp_Utf8_big_chars.getInt();
       chp = store_Utf8_char(chp, ch);
@@ -1134,10 +1136,12 @@
   CHECK;
   int prevlen = 0;  // previous string length (in chars)
   tmallocs.add(bigbuf.ptr);  // free after this block
+  CHECK;
   cp_Utf8_prefix.rewind();
   for (i = 0; i < len; i++) {
     bytes& chars = allsuffixes[i];
     int prefix = (i < PREFIX_SKIP_2)? 0: cp_Utf8_prefix.getInt();
+    CHECK;
     int suffix = (int)chars.len;
     byte* fillp;
     // by induction, the buffer is already filled with the prefix
--- a/src/share/native/com/sun/java/util/jar/pack/utils.cpp	Fri Oct 14 00:54:56 2011 +0100
+++ b/src/share/native/com/sun/java/util/jar/pack/utils.cpp	Fri Oct 14 00:57:01 2011 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2001, 2008, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2001, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -52,7 +52,7 @@
   if (msize >= 0 && msize < sizeof(int))
     msize = sizeof(int);  // see 0xbaadf00d below
   #endif
-  void* ptr = (msize > PSIZE_MAX) ? null : malloc(msize);
+  void* ptr = (msize > PSIZE_MAX || msize <= 0) ? null : malloc(msize);
   if (ptr != null) {
     memset(ptr, 0, size);
   } else {
--- a/src/share/native/com/sun/java/util/jar/pack/utils.h	Fri Oct 14 00:54:56 2011 +0100
+++ b/src/share/native/com/sun/java/util/jar/pack/utils.h	Fri Oct 14 00:57:01 2011 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2001, 2008, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2001, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -33,7 +33,7 @@
 #endif
 
 // overflow management
-#define OVERFLOW ((size_t)-1)
+#define OVERFLOW ((uint)-1)
 #define PSIZE_MAX (OVERFLOW/2)  /* normal size limit */
 
 inline size_t scale_size(size_t size, size_t scale) {