Code review request for 7172149 ArrayIndexOutOfBoundsException from Signature.verify

Brad Wetmore bradford.wetmore at oracle.com
Wed May 30 00:54:22 UTC 2012


I think it is worth exploring what other parts of the code do in this 
case.  It seems to me this is going to be a lot more involved than just 
Signatures.  (InputStreams, etc)

Brad



On 5/29/2012 4:26 PM, Xuelei Fan wrote:
> On 5/29/2012 3:11 PM, Jonathan Lu wrote:
>> Hi Xuelei,
>>
>> Thanks for review!
>>
>> On 05/29/2012 02:45 PM, Xuelei Fan wrote:
>>> That's an interesting topic.  From my understand, the length of an array
>>> is of type "int".  So normally, the (offset + length) should not be
>>> great than integer.max_value.  Of course, Hostile or improper code are
>>> not of the case.
>>>
>>> What's interesting to me is that may be when we do additive operation
>>> for two "int" values, we may have to convert it to "long" in case of any
>>> overflow strictly.  We are luck here because we have "long" type. But
>>> what about the additive operation for two "long" values
>>
>> I think this issue is special, since it is about index value of Java
>> arrays, which is limited to smaller than Integer.MAX_VALUE according to
>> Java language specification, not other general conditions of comparing
>> integer or long values.
>>
>>>
>>> Jonathan, do you run into the problem in real world?
>> For now I am not quiet sure of whether it is from a real world problem,
>> but this problem does exhibit some weakness or behavior differences, right?
>>
> Yes, it is an improvement.  Would you please add a comment about why
> convert it to "long", and update the copyright year to 2012? Otherwise,
> looks fine to me for JDK 8.
>
> Thanks&   Regards,
> Xuelei
>
>> Thanks&  regards
>> -Jonathan
>>
>>>
>>> Thanks&   Regards,
>>> Xuelei
>>>
>>> On 5/29/2012 1:53 PM, Jonathan Lu wrote:
>>>> Hi Security-dev,
>>>>
>>>> Here's a patch for bug7172149, could anybody please help to take a look?
>>>> http://cr.openjdk.java.net/~luchsh/7172149/
>>>>
>>>> The problem is that the range check in Signature.verify(byte[], int,
>>>> int) uses integer value to check whether (offset + length) is greater
>>>> than signature.length, but if (offset + length) overflows the check will
>>>> fail and ArrayIndexOutOfBoundsException will be thrown instead of
>>>> IllegalArgumentException.My proposed solution is to make a  conversion
>>>> to long in the if block.
>>>>
>>>> Thanks!
>>>> - Jonathan
>>>>
>>
>



More information about the security-dev mailing list