Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8155608

String intrinsic range checks are not strict enough

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: P3 P3
    • 9
    • 9
    • hotspot
    • None
    • b122

      The Java level range checks for StringLatin1::inflate() and StringUTF16::compress() are too weak. Offset and length need to be multiplied by two because they access a char value in a byte array:

      --- a/src/java.base/share/classes/java/lang/StringLatin1.java Tue Apr 19 15:26:52 2016 -0400
      +++ b/src/java.base/share/classes/java/lang/StringLatin1.java Thu Apr 28 10:30:23 2016 +0200
      @@ -567,7 +567,7 @@
           @HotSpotIntrinsicCandidate
           public static void inflate(byte[] src, int srcOff, byte[] dst, int dstOff, int len) {
               // We need a range check here because 'putChar' has no checks
      - checkBoundsOffCount(dstOff, len, dst.length);
      + checkBoundsOffCount(dstOff << 1, len << 1, dst.length);
               for (int i = 0; i < len; i++) {
                   StringUTF16.putChar(dst, dstOff++, src[srcOff++] & 0xff);
               }

      --- a/src/java.base/share/classes/java/lang/StringUTF16.java Tue Apr 19 15:26:52 2016 -0400
      +++ b/src/java.base/share/classes/java/lang/StringUTF16.java Thu Apr 28 10:30:23 2016 +0200
      @@ -162,7 +162,7 @@
           @HotSpotIntrinsicCandidate
           public static int compress(byte[] src, int srcOff, byte[] dst, int dstOff, int len) {
               // We need a range check here because 'getChar' has no checks
      - checkBoundsOffCount(srcOff, len, src.length);
      + checkBoundsOffCount(srcOff << 1, len << 1, src.length);
               for (int i = 0; i < len; i++) {
                   char c = getChar(src, srcOff);
                   if (c > 0xFF) {

            thartmann Tobias Hartmann
            thartmann Tobias Hartmann
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: