Mercurial > hg > release > icedtea7-forest-2.0 > jdk
changeset 4571:8ebc1115d725
7057857, CVE-2011-3554: insufficient pack200 JAR files uncompress error checks
author | andrew |
---|---|
date | Fri, 14 Oct 2011 00:57:01 +0100 |
parents | fc3acc1b4e55 |
children | e88518dcf07c |
files | src/share/native/com/sun/java/util/jar/pack/unpack.cpp src/share/native/com/sun/java/util/jar/pack/utils.cpp src/share/native/com/sun/java/util/jar/pack/utils.h |
diffstat | 3 files changed, 8 insertions(+), 4 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/native/com/sun/java/util/jar/pack/unpack.cpp Fri Oct 14 00:54:56 2011 +0100 +++ b/src/share/native/com/sun/java/util/jar/pack/unpack.cpp Fri Oct 14 00:57:01 2011 +0100 @@ -1112,9 +1112,11 @@ uint size3 = suffix * 3; if (suffix == 0) continue; // done with empty string chars.malloc(size3); + CHECK; byte* chp = chars.ptr; band saved_band = cp_Utf8_big_chars; cp_Utf8_big_chars.readData(suffix); + CHECK; for (int j = 0; j < suffix; j++) { unsigned short ch = cp_Utf8_big_chars.getInt(); chp = store_Utf8_char(chp, ch); @@ -1134,10 +1136,12 @@ CHECK; int prevlen = 0; // previous string length (in chars) tmallocs.add(bigbuf.ptr); // free after this block + CHECK; cp_Utf8_prefix.rewind(); for (i = 0; i < len; i++) { bytes& chars = allsuffixes[i]; int prefix = (i < PREFIX_SKIP_2)? 0: cp_Utf8_prefix.getInt(); + CHECK; int suffix = (int)chars.len; byte* fillp; // by induction, the buffer is already filled with the prefix
--- a/src/share/native/com/sun/java/util/jar/pack/utils.cpp Fri Oct 14 00:54:56 2011 +0100 +++ b/src/share/native/com/sun/java/util/jar/pack/utils.cpp Fri Oct 14 00:57:01 2011 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2001, 2008, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2001, 2011, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -52,7 +52,7 @@ if (msize >= 0 && msize < sizeof(int)) msize = sizeof(int); // see 0xbaadf00d below #endif - void* ptr = (msize > PSIZE_MAX) ? null : malloc(msize); + void* ptr = (msize > PSIZE_MAX || msize <= 0) ? null : malloc(msize); if (ptr != null) { memset(ptr, 0, size); } else {
--- a/src/share/native/com/sun/java/util/jar/pack/utils.h Fri Oct 14 00:54:56 2011 +0100 +++ b/src/share/native/com/sun/java/util/jar/pack/utils.h Fri Oct 14 00:57:01 2011 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2001, 2008, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2001, 2011, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -33,7 +33,7 @@ #endif // overflow management -#define OVERFLOW ((size_t)-1) +#define OVERFLOW ((uint)-1) #define PSIZE_MAX (OVERFLOW/2) /* normal size limit */ inline size_t scale_size(size_t size, size_t scale) {