RFR: 8368097: [asan] heap-buffer-overflow reported in ClassFileParser::skip_over_field_signature
Johan Sjölen
jsjolen at openjdk.org
Tue Sep 30 08:31:56 UTC 2025
On Fri, 26 Sep 2025 15:25:41 GMT, Chen Liang <liach at openjdk.org> wrote:
>> src/hotspot/share/classfile/classFileParser.cpp line 4685:
>>
>>> 4683: // The next character better be a semicolon
>>> 4684: if (p != nullptr && // Parse succeeded
>>> 4685: signature < p && // p is in range [ signature,
>>
>> This condition (and the preexisting `(p - signature) > 1`) seems redundant. From what I see, `skip_over_field_name` already rejects empty names, so `signature + 1 < p` should be consistently true. (We should document that return value `> name` in `skip_over_field_name` too
>
> If we decide to keep this for extra security, `signature < p` is wrong too - it should be `signature + 1 < p` to ensure the resulting class name is not empty, in parity with the old check.
Yeah, let's skip the redundant condition. It's just confusing to read the check. I wonder if that check was meant to mean "is there at least 1 character left to parse?", as to avoid the oob dereference.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/27528#discussion_r2383932949
More information about the hotspot-runtime-dev
mailing list