-
Bug
-
Resolution: Fixed
-
P3
-
6u10
-
b04
-
x86
-
linux
-
Verified
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-2213717 | 7u2 | Joe Darcy | P4 | Closed | Fixed | b08 |
FULL PRODUCT VERSION :
$ java -version
java version "1.5.0_16"
$ java -version
openjdk version "1.7.0-internal"
1.6.0_12-b04
(I think you'll find this is in about every version of java.)
ADDITIONAL OS VERSION INFORMATION :
All OSes.
A DESCRIPTION OF THE PROBLEM :
A logic error in SignatureParser.java makes it possible for a malformed signature to push the JVM into an infinite loop, which only ends when heap is exhausted.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Compile and run the attached program.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Something like "parse error, malformed method descriptor."
ACTUAL -
<twiddle twiddle twiddle> boom.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
at java.util.ArrayList.ensureCapacity(ArrayList.java:169)
at java.util.ArrayList.add(ArrayList.java:351)
at sun.reflect.generics.parser.SignatureParser.parseFormalTypeParameters(SignatureParser.java:190)
at sun.reflect.generics.parser.SignatureParser.parseZeroOrMoreFormalTypeParameters(SignatureParser.java:177)
at sun.reflect.generics.parser.SignatureParser.parseMethodTypeSignature(SignatureParser.java:436)
at sun.reflect.generics.parser.SignatureParser.parseMethodSig(SignatureParser.java:141)
at SigP.main(SigP.java:8)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import sun.reflect.generics.parser.SignatureParser;
public class SigP {
public static void main(String[] args) {
SignatureParser sp = SignatureParser.make();
String sig = "<T:Lscala/tools/nsc/symtab/Names;Lscala/tools/nsc/symtab/Symbols;Lscala/tools/nsc/symtab/Types;Lscala/tools/nsc/symtab/Scopes;Lscala/tools/nsc/symtab/Definitions;Lscala/tools/nsc/symtab/Constants;Lscala/tools/nsc/symtab/BaseTypeSeqs;Lscala/tools/nsc/symtab/InfoTransformers;Lscala/tools/nsc/symtab/StdNames;Lscala/tools/nsc/symtab/AnnotationInfos;Lscala/tools/nsc/symtab/AnnotationCheckers;Lscala/tools/nsc/ast/Trees;Lscala/ScalaObject.Symbol;>(TT;Lscala/tools/nsc/symtab/Names;Lscala/tools/nsc/symtab/Symbols;Lscala/tools/nsc/symtab/Types;Lscala/tools/nsc/symtab/Scopes;Lscala/tools/nsc/symtab/Definitions;Lscala/tools/nsc/symtab/Constants;Lscala/tools/nsc/symtab/BaseTypeSeqs;Lscala/tools/nsc/symtab/InfoTransformers;Lscala/tools/nsc/symtab/StdNames;Lscala/tools/nsc/symtab/AnnotationInfos;Lscala/tools/nsc/symtab/AnnotationCheckers;Lscala/tools/nsc/ast/Trees;Lscala/ScalaObject.Type;)TT;";
sp.parseMethodSig(sig);
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Fix SignatureParser and rebuild the jdk. The exploitable logic around line 210:
while (current() != '>') {
ftps.add(parseFormalTypeParameter());
}
It is possible for parseFormalTypeParameter() not to advance the input, so this will loop indefinitely, allocating new empty type parameters until it exhausts its rope.
$ java -version
java version "1.5.0_16"
$ java -version
openjdk version "1.7.0-internal"
1.6.0_12-b04
(I think you'll find this is in about every version of java.)
ADDITIONAL OS VERSION INFORMATION :
All OSes.
A DESCRIPTION OF THE PROBLEM :
A logic error in SignatureParser.java makes it possible for a malformed signature to push the JVM into an infinite loop, which only ends when heap is exhausted.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Compile and run the attached program.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Something like "parse error, malformed method descriptor."
ACTUAL -
<twiddle twiddle twiddle> boom.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
at java.util.ArrayList.ensureCapacity(ArrayList.java:169)
at java.util.ArrayList.add(ArrayList.java:351)
at sun.reflect.generics.parser.SignatureParser.parseFormalTypeParameters(SignatureParser.java:190)
at sun.reflect.generics.parser.SignatureParser.parseZeroOrMoreFormalTypeParameters(SignatureParser.java:177)
at sun.reflect.generics.parser.SignatureParser.parseMethodTypeSignature(SignatureParser.java:436)
at sun.reflect.generics.parser.SignatureParser.parseMethodSig(SignatureParser.java:141)
at SigP.main(SigP.java:8)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import sun.reflect.generics.parser.SignatureParser;
public class SigP {
public static void main(String[] args) {
SignatureParser sp = SignatureParser.make();
String sig = "<T:Lscala/tools/nsc/symtab/Names;Lscala/tools/nsc/symtab/Symbols;Lscala/tools/nsc/symtab/Types;Lscala/tools/nsc/symtab/Scopes;Lscala/tools/nsc/symtab/Definitions;Lscala/tools/nsc/symtab/Constants;Lscala/tools/nsc/symtab/BaseTypeSeqs;Lscala/tools/nsc/symtab/InfoTransformers;Lscala/tools/nsc/symtab/StdNames;Lscala/tools/nsc/symtab/AnnotationInfos;Lscala/tools/nsc/symtab/AnnotationCheckers;Lscala/tools/nsc/ast/Trees;Lscala/ScalaObject.Symbol;>(TT;Lscala/tools/nsc/symtab/Names;Lscala/tools/nsc/symtab/Symbols;Lscala/tools/nsc/symtab/Types;Lscala/tools/nsc/symtab/Scopes;Lscala/tools/nsc/symtab/Definitions;Lscala/tools/nsc/symtab/Constants;Lscala/tools/nsc/symtab/BaseTypeSeqs;Lscala/tools/nsc/symtab/InfoTransformers;Lscala/tools/nsc/symtab/StdNames;Lscala/tools/nsc/symtab/AnnotationInfos;Lscala/tools/nsc/symtab/AnnotationCheckers;Lscala/tools/nsc/ast/Trees;Lscala/ScalaObject.Type;)TT;";
sp.parseMethodSig(sig);
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Fix SignatureParser and rebuild the jdk. The exploitable logic around line 210:
while (current() != '>') {
ftps.add(parseFormalTypeParameter());
}
It is possible for parseFormalTypeParameter() not to advance the input, so this will loop indefinitely, allocating new empty type parameters until it exhausts its rope.
- backported by
-
JDK-2213717 (reflect) malformed signature can cause parser to go into infinite loop
-
- Closed
-
- relates to
-
-
- Closed
-
-
JDK-7052878 javac needs tests for reading/writing generic signature attributes
-
- Closed
-