Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-2209220 | 6u27 | Vaibhav Choudhary | P3 | Closed | Fixed | b01 |
JDK-2209879 | 6u26-rev | Vaibhav Choudhary | P3 | Resolved | Fixed | b21 |
JDK-2200109 | 6u25-rev | Vaibhav Choudhary | P3 | Resolved | Fixed | b21 |
JDK-2172689 | OpenJDK6 | Martin Buchholz | P3 | Resolved | Fixed | b16 |
FULL PRODUCT VERSION :
java version "1.6.0_0"
OpenJDK Runtime Environment (build 1.6.0_0-b12)
OpenJDK Core VM (build 14.0-b08, interpreted mode)
(built from icedtea6-ce9956fe8908)
ADDITIONAL OS VERSION INFORMATION :
All platforms
A DESCRIPTION OF THE PROBLEM :
In jdk/src/share/native/java/io/io_util.c, both readBytes and writeBytes include the following array bounds check:
if ((off < 0) || (off > datalen) ||
(len < 0) || ((off + len) > datalen) || ((off + len) < 0)) {
JNU_ThrowByName(env, "java/lang/IndexOutOfBoundsException", 0);
return -1;
}
off, len and datalen are all signed 32-bit integers. The result of (off + len) is undefined in C if the result overflows, which can cause the exception not to be thrown. This causes testsuite failures on 32-bit Linux PowerPC on Fedora 10.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Compile the test case and run it on 32-bit Linux PowerPC on Fedora 10.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Exception in thread "main" java.lang.IndexOutOfBoundsException
at java.io.FileInputStream.readBytes(Native Method)
at java.io.FileInputStream.read(FileInputStream.java:236)
at Test.main(Test.java:5)
ACTUAL -
Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException
at java.io.FileInputStream.readBytes(Native Method)
at java.io.FileInputStream.read(FileInputStream.java:236)
at Test.main(Test.java:5)
Note that the thrown exception is different; I'm guessing it comes from the (*env)->SetByteArrayRegion further down readBytes.
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.io.FileInputStream;
class Test {
public static void main(String[] args) throws Exception {
byte[] b = new byte[20];
(new FileInputStream("/bin/ls")).read(b, 1, 0x7fffffff);
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
http://icedtea.classpath.org/hg/icedtea6/file/ce9956fe8908/patches/icedtea-io_util-overflow.patch
java version "1.6.0_0"
OpenJDK Runtime Environment (build 1.6.0_0-b12)
OpenJDK Core VM (build 14.0-b08, interpreted mode)
(built from icedtea6-ce9956fe8908)
ADDITIONAL OS VERSION INFORMATION :
All platforms
A DESCRIPTION OF THE PROBLEM :
In jdk/src/share/native/java/io/io_util.c, both readBytes and writeBytes include the following array bounds check:
if ((off < 0) || (off > datalen) ||
(len < 0) || ((off + len) > datalen) || ((off + len) < 0)) {
JNU_ThrowByName(env, "java/lang/IndexOutOfBoundsException", 0);
return -1;
}
off, len and datalen are all signed 32-bit integers. The result of (off + len) is undefined in C if the result overflows, which can cause the exception not to be thrown. This causes testsuite failures on 32-bit Linux PowerPC on Fedora 10.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Compile the test case and run it on 32-bit Linux PowerPC on Fedora 10.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Exception in thread "main" java.lang.IndexOutOfBoundsException
at java.io.FileInputStream.readBytes(Native Method)
at java.io.FileInputStream.read(FileInputStream.java:236)
at Test.main(Test.java:5)
ACTUAL -
Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException
at java.io.FileInputStream.readBytes(Native Method)
at java.io.FileInputStream.read(FileInputStream.java:236)
at Test.main(Test.java:5)
Note that the thrown exception is different; I'm guessing it comes from the (*env)->SetByteArrayRegion further down readBytes.
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.io.FileInputStream;
class Test {
public static void main(String[] args) throws Exception {
byte[] b = new byte[20];
(new FileInputStream("/bin/ls")).read(b, 1, 0x7fffffff);
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
http://icedtea.classpath.org/hg/icedtea6/file/ce9956fe8908/patches/icedtea-io_util-overflow.patch
- backported by
-
JDK-2172689 (porting) Bounds checks in io_util.c rely on undefined behaviour
- Resolved
-
JDK-2200109 (porting) Bounds checks in io_util.c rely on undefined behaviour
- Resolved
-
JDK-2209879 (porting) Bounds checks in io_util.c rely on undefined behaviour
- Resolved
-
JDK-2209220 (porting) Bounds checks in io_util.c rely on undefined behaviour
- Closed