RFR: 8368097: [asan] heap-buffer-overflow reported in ClassFileParser::skip_over_field_signature

[Chen Liang]

On Fri, 26 Sep 2025 14:12:09 GMT, Chen Liang <liach at openjdk.org> wrote:

>> Hi,
>> 
>> `skip_over_field_name` may produce a pointer which is exactly one `char` of bounds, which is the dereferenced by `skip_over_field_signature` when it looks for a semi-colon. This causes an out-of-bounds read, which ASAN caught. The fix is to check whether it's OK to dereference `p` or not.
>> 
>> We keep the semantics the same other than that, so `skip_over_field_signature` and `skip_over_field_name` can both return a pointer which is one past the valid memory range. Creating such a pointer is explicitly not UB, but dereferencing it is.
>
> src/hotspot/share/classfile/classFileParser.cpp line 4685:
> 
>> 4683:         // The next character better be a semicolon
>> 4684:         if (p != nullptr               && // Parse succeeded
>> 4685:             signature < p              && // p is in range [ signature,
> 
> This condition (and the preexisting `(p - signature) > 1`) seems redundant. From what I see, `skip_over_field_name` already rejects empty names, so `signature + 1 < p` should be consistently true. (We should document that return value `> name` in `skip_over_field_name` too

If we decide to keep this for extra security, `signature < p` is wrong too - it should be `signature + 1 < p` to ensure the resulting class name is not empty, in parity with the old check.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/27528#discussion_r2382746649