-
Bug
-
Resolution: Fixed
-
P3
-
11, 12
-
b21
An ADLC component suffers for multiple NULL pointer dereferences. Please
add validation of malloc()
Affected file:
jdk-cdffba164671/src/hotspot/share/adlc/formssel.cpp
Affected code1 (when build string representation of subtree):
-------------------------------
void MatchNode::build_internalop( ) {
char *iop, *subtree;
const char *lstr, *rstr;
// Build string representation of subtree
// Operation lchildType rchildType
int len = (int)strlen(_opType) + 4;
lstr = (_lChild) ? ((_lChild->_internalop) ?
_lChild->_internalop : _lChild->_opType) : "";
rstr = (_rChild) ? ((_rChild->_internalop) ?
_rChild->_internalop : _rChild->_opType) : "";
len += (int)strlen(lstr) + (int)strlen(rstr);
subtree = (char *)malloc(len);
sprintf(subtree,"_%s_%s_%s", _opType, lstr, rstr); <=== Potential overflow
-------------------------------
Affected code2 (recursively swap specified commutative operation with subtree
operands):
-------------------------------
void MatchRule::matchrule_swap_commutative_op(const char* instr_ident, int
count, int& match_rules_cnt) {
assert(match_rules_cnt < 100," too many match rule clones");
// Clone
MatchRule* clone = new MatchRule(_AD, this);
// Swap operands of commutative operation
((MatchNode*)clone)->swap_commutative_op(true, count);
char* buf = (char*) malloc(strlen(instr_ident) + 4);
sprintf(buf, "%s_%d", instr_ident, match_rules_cnt++); <=== Potential
overflow
-------------------------------
Reported by Maksymilian Arciemowicz
add validation of malloc()
Affected file:
jdk-cdffba164671/src/hotspot/share/adlc/formssel.cpp
Affected code1 (when build string representation of subtree):
-------------------------------
void MatchNode::build_internalop( ) {
char *iop, *subtree;
const char *lstr, *rstr;
// Build string representation of subtree
// Operation lchildType rchildType
int len = (int)strlen(_opType) + 4;
lstr = (_lChild) ? ((_lChild->_internalop) ?
_lChild->_internalop : _lChild->_opType) : "";
rstr = (_rChild) ? ((_rChild->_internalop) ?
_rChild->_internalop : _rChild->_opType) : "";
len += (int)strlen(lstr) + (int)strlen(rstr);
subtree = (char *)malloc(len);
sprintf(subtree,"_%s_%s_%s", _opType, lstr, rstr); <=== Potential overflow
-------------------------------
Affected code2 (recursively swap specified commutative operation with subtree
operands):
-------------------------------
void MatchRule::matchrule_swap_commutative_op(const char* instr_ident, int
count, int& match_rules_cnt) {
assert(match_rules_cnt < 100," too many match rule clones");
// Clone
MatchRule* clone = new MatchRule(_AD, this);
// Swap operands of commutative operation
((MatchNode*)clone)->swap_commutative_op(true, count);
char* buf = (char*) malloc(strlen(instr_ident) + 4);
sprintf(buf, "%s_%d", instr_ident, match_rules_cnt++); <=== Potential
overflow
-------------------------------
Reported by Maksymilian Arciemowicz
- relates to
-
JDK-8217291 Failure of ::realloc() should be handled correctly in adlc/forms.cpp
-
- Resolved
-