If a malicious actor holds a reference to the argument array passed to MethodTypeDesc.of factory, it can mutate a supposingly immutable MethodTypeDesc and create an illegal MethodTypeDesc.
jshell> import java.lang.constant.*;
jshell> import java.lang.invoke.*;
jshell> import static java.lang.constant.ConstantDescs.*;
jshell> ClassDesc[] args = { CD_int, CD_Long};
args ==> ClassDesc[2] { PrimitiveClassDesc[int], ClassDesc[Long] }
jshell> var mtd = MethodTypeDesc.of(CD_void, args);
mtd ==> MethodTypeDesc[(int,Long)void]
jshell> mtd
mtd ==> MethodTypeDesc[(int,Long)void]
jshell> args[1] = CD_void
$7 ==> PrimitiveClassDesc[void]
jshell> mtd
mtd ==> MethodTypeDesc[(int,void)void]
I recommend changing MethodTypeDescImpl to be list-backed than array-backed to reduce allocations on `parameterList` calls too.
jshell> import java.lang.constant.*;
jshell> import java.lang.invoke.*;
jshell> import static java.lang.constant.ConstantDescs.*;
jshell> ClassDesc[] args = { CD_int, CD_Long};
args ==> ClassDesc[2] { PrimitiveClassDesc[int], ClassDesc[Long] }
jshell> var mtd = MethodTypeDesc.of(CD_void, args);
mtd ==> MethodTypeDesc[(int,Long)void]
jshell> mtd
mtd ==> MethodTypeDesc[(int,Long)void]
jshell> args[1] = CD_void
$7 ==> PrimitiveClassDesc[void]
jshell> mtd
mtd ==> MethodTypeDesc[(int,void)void]
I recommend changing MethodTypeDescImpl to be list-backed than array-backed to reduce allocations on `parameterList` calls too.
- relates to
-
JDK-8309413 Improve the performance of MethodTypeDesc::descriptorString
-
- Resolved
-