RFR: 8368097: [asan] heap-buffer-overflow reported in ClassFileParser::skip_over_field_signature [v2]
Johan Sjölen
jsjolen at openjdk.org
Thu Oct 2 11:56:45 UTC 2025
> Hi,
>
> `skip_over_field_name` may produce a pointer which is exactly one `char` of bounds, which is the dereferenced by `skip_over_field_signature` when it looks for a semi-colon. This causes an out-of-bounds read, which ASAN caught. The fix is to check whether it's OK to dereference `p` or not.
>
> We keep the semantics the same other than that, so `skip_over_field_signature` and `skip_over_field_name` can both return a pointer which is one past the valid memory range. Creating such a pointer is explicitly not UB, but dereferencing it is.
Johan Sjölen has updated the pull request incrementally with one additional commit since the last revision:
Update src/hotspot/share/classfile/classFileParser.cpp
Co-authored-by: David Holmes <62092539+dholmes-ora at users.noreply.github.com>
-------------
Changes:
- all: https://git.openjdk.org/jdk/pull/27528/files
- new: https://git.openjdk.org/jdk/pull/27528/files/75709361..f6b89402
Webrevs:
- full: https://webrevs.openjdk.org/?repo=jdk&pr=27528&range=01
- incr: https://webrevs.openjdk.org/?repo=jdk&pr=27528&range=00-01
Stats: 2 lines in 1 file changed: 0 ins; 0 del; 2 mod
Patch: https://git.openjdk.org/jdk/pull/27528.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/27528/head:pull/27528
PR: https://git.openjdk.org/jdk/pull/27528
More information about the hotspot-runtime-dev
mailing list