RFR: 8368097: [asan] heap-buffer-overflow reported in ClassFileParser::skip_over_field_signature

[David Holmes]

On Fri, 26 Sep 2025 12:59:56 GMT, Johan Sjölen <jsjolen at openjdk.org> wrote:

> Hi,
> 
> `skip_over_field_name` may produce a pointer which is exactly one `char` of bounds, which is the dereferenced by `skip_over_field_signature` when it looks for a semi-colon. This causes an out-of-bounds read, which ASAN caught. The fix is to check whether it's OK to dereference `p` or not.
> 
> We keep the semantics the same other than that, so `skip_over_field_signature` and `skip_over_field_name` can both return a pointer which is one past the valid memory range. Creating such a pointer is explicitly not UB, but dereferencing it is.

src/hotspot/share/classfile/classFileParser.cpp line 4681:

> 4679:     case JVM_SIGNATURE_CLASS: {
> 4680:       if (_major_version < JAVA_1_5_VERSION) {
> 4681:         signature++; length--;

Suggestion:

        signature++;
        length--;

src/hotspot/share/classfile/classFileParser.cpp line 4686:

> 4684:         // The next character better be a semicolon
> 4685:         if (p != nullptr               && // Parse of field name succeeded.
> 4686:             signature + length > p     && // There is at least one character left to parse.

I find `p - signature < length` a more obvious formulation that there is at least one more character.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/27528#discussion_r2386359217
PR Review Comment: https://git.openjdk.org/jdk/pull/27528#discussion_r2386359872