RFR: 8368097: [asan] heap-buffer-overflow reported in ClassFileParser::skip_over_field_signature

Tue Sep 30 08:31:56 UTC 2025

On Sun, 28 Sep 2025 21:47:08 GMT, David Holmes <dholmes at openjdk.org> wrote:

>> Hi,
>> 
>> `skip_over_field_name` may produce a pointer which is exactly one `char` of bounds, which is the dereferenced by `skip_over_field_signature` when it looks for a semi-colon. This causes an out-of-bounds read, which ASAN caught. The fix is to check whether it's OK to dereference `p` or not.
>> 
>> We keep the semantics the same other than that, so `skip_over_field_signature` and `skip_over_field_name` can both return a pointer which is one past the valid memory range. Creating such a pointer is explicitly not UB, but dereferencing it is.
>
> src/hotspot/share/classfile/classFileParser.cpp line 4686:
> 
>> 4684:         // The next character better be a semicolon
>> 4685:         if (p != nullptr               && // Parse of field name succeeded.
>> 4686:             signature + length > p     && // There is at least one character left to parse.
> 
> I find `p - signature < length` a more obvious formulation that there is at least one more character.

I also added an assertion that at least one character must be parsed.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/27528#discussion_r2388731776