[8u] RFR: 8028591: NegativeArraySizeException in sun.security.util.DerInputStream.getUnalignedBitString()
Andrew Hughes
gnu.andrew at redhat.com
Thu May 21 20:34:23 UTC 2020
On 21/05/2020 21:10, Martin Balao wrote:
> On 5/20/20 5:41 PM, Andrew Hughes wrote:
>> Bug: https://bugs.openjdk.java.net/browse/JDK-8028591
>> Webrev: https://cr.openjdk.java.net/~andrew/openjdk8/8028591/webrev.01/
>>
>> Simple range check additions that have been in OpenJDK since 9u. On the
>> Oracle parity list for 8u26{1,2}.
>
> Thanks for contributing this backport.
>
>> Modifications for the backport are the result of security fixes that
>> have been applied to 8u since the fix was made earlier in the 9u lifecycle:
>>
>> * The check on validBits in
>> src/share/classes/sun/security/util/DerInputStream.java was already
>> added by JDK-8168714: "Tighten ECDSA validation"
>
> Yes, I verified that the patch does not need the validBits because the
> current code already has it.
>
>>
>> * The len was already assigned to a variable in
>> src/share/classes/sun/security/util/ObjectIdentifier.java for
>> JDK-8168705: "Better ObjectIdentifier validation" which checked the
>> upper bound.
>>
>
> Yes, that's correct.
>
>> Also, the copyright header change is redundant as JDK-8175251: "Failed
>> to load RSA private key from pkcs12" already bumped it to 2017.
>>
>
> Yes, that's right. Copyright's last date is 2017 in DerInputStream.java.
>
>> Ok for 8u262?
>
> Looks good to me.
>
Thanks. I'll flag for approval.
--
Andrew :)
Senior Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)
PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222
More information about the jdk8u-dev
mailing list