Code review request for 7172149 ArrayIndexOutOfBoundsException from Signature.verify
Xuelei Fan
xuelei.fan at oracle.com
Tue May 29 06:45:23 UTC 2012
That's an interesting topic. From my understand, the length of an array
is of type "int". So normally, the (offset + length) should not be
great than integer.max_value. Of course, Hostile or improper code are
not of the case.
What's interesting to me is that may be when we do additive operation
for two "int" values, we may have to convert it to "long" in case of any
overflow strictly. We are luck here because we have "long" type. But
what about the additive operation for two "long" values?
Jonathan, do you run into the problem in real world?
Thanks & Regards,
Xuelei
On 5/29/2012 1:53 PM, Jonathan Lu wrote:
> Hi Security-dev,
>
> Here's a patch for bug7172149, could anybody please help to take a look?
> http://cr.openjdk.java.net/~luchsh/7172149/
>
> The problem is that the range check in Signature.verify(byte[], int,
> int) uses integer value to check whether (offset + length) is greater
> than signature.length, but if (offset + length) overflows the check will
> fail and ArrayIndexOutOfBoundsException will be thrown instead of
> IllegalArgumentException.My proposed solution is to make a conversion
> to long in the if block.
>
> Thanks!
> - Jonathan
>
More information about the security-dev
mailing list