Code review request for 7172149 ArrayIndexOutOfBoundsException from Signature.verify
Jonathan Lu
luchsh at linux.vnet.ibm.com
Tue May 29 07:11:21 UTC 2012
Hi Xuelei,
Thanks for review!
On 05/29/2012 02:45 PM, Xuelei Fan wrote:
> That's an interesting topic. From my understand, the length of an array
> is of type "int". So normally, the (offset + length) should not be
> great than integer.max_value. Of course, Hostile or improper code are
> not of the case.
>
> What's interesting to me is that may be when we do additive operation
> for two "int" values, we may have to convert it to "long" in case of any
> overflow strictly. We are luck here because we have "long" type. But
> what about the additive operation for two "long" values
I think this issue is special, since it is about index value of Java
arrays, which is limited to smaller than Integer.MAX_VALUE according to
Java language specification, not other general conditions of comparing
integer or long values.
>
> Jonathan, do you run into the problem in real world?
For now I am not quiet sure of whether it is from a real world problem,
but this problem does exhibit some weakness or behavior differences, right?
Thanks & regards
-Jonathan
>
> Thanks& Regards,
> Xuelei
>
> On 5/29/2012 1:53 PM, Jonathan Lu wrote:
>> Hi Security-dev,
>>
>> Here's a patch for bug7172149, could anybody please help to take a look?
>> http://cr.openjdk.java.net/~luchsh/7172149/
>>
>> The problem is that the range check in Signature.verify(byte[], int,
>> int) uses integer value to check whether (offset + length) is greater
>> than signature.length, but if (offset + length) overflows the check will
>> fail and ArrayIndexOutOfBoundsException will be thrown instead of
>> IllegalArgumentException.My proposed solution is to make a conversion
>> to long in the if block.
>>
>> Thanks!
>> - Jonathan
>>
More information about the security-dev
mailing list