RFR 8183591: Incorrect behavior when reading DER value with Integer.MAX_VALUE length

Adam Petcher adam.petcher at oracle.com
Tue Jul 18 17:55:05 UTC 2017

Some additional investigation revealed that IOUtils.readFully() is only 
used by DER, JKS, and Kerberos. None of these need the "read to the end 
of the buffer" feature. This behavior of readFully() is confusing, so it 
is probably best to remove it.

Webrev: http://cr.openjdk.java.net/~apetcher/8183591/webrev.01/

On 7/12/2017 2:38 PM, Adam Petcher wrote:
> This is a bug fix for a corner case in which a DER value has length 
> equal to Integer.MAX_VALUE. The code uses IOUtils.readFully() to read 
> the value, which interprets length=Integer.MAX_VALUE to mean "read to 
> the end." The result is that no exception will be thrown when fewer 
> then Integer.MAX_VALUE bytes are read from the stream. The fix adds a 
> check after the readFully() to ensure that the expected number of 
> bytes were read.
> Webrev: http://cr.openjdk.java.net/~apetcher/8183591/webrev.00/
> JBS: https://bugs.openjdk.java.net/browse/JDK-8183591

More information about the security-dev mailing list