RFR 8183591: Incorrect behavior when reading DER value with Integer.MAX_VALUE length
Weijun Wang
weijun.wang at oracle.com
Sun Jul 30 22:11:31 UTC 2017
> On Jul 19, 2017, at 1:55 AM, Adam Petcher <adam.petcher at oracle.com> wrote:
>
> Some additional investigation revealed that IOUtils.readFully() is only used by DER, JKS, and Kerberos. None of these need the "read to the end of the buffer" feature. This behavior of readFully() is confusing, so it is probably best to remove it.
Just back from vacation.
Yes, you are right. I filed https://bugs.openjdk.java.net/browse/JDK-8182151 some time ago. IIRC, with the proposed InputStream::readNBytes(int length) and existing InputStream::readAllBytes(), there will be no need to call IOUtils.readFully() anymore.
Thanks
Max
>
> Webrev: http://cr.openjdk.java.net/~apetcher/8183591/webrev.01/
>
>
> On 7/12/2017 2:38 PM, Adam Petcher wrote:
>> This is a bug fix for a corner case in which a DER value has length equal to Integer.MAX_VALUE. The code uses IOUtils.readFully() to read the value, which interprets length=Integer.MAX_VALUE to mean "read to the end." The result is that no exception will be thrown when fewer then Integer.MAX_VALUE bytes are read from the stream. The fix adds a check after the readFully() to ensure that the expected number of bytes were read.
>>
>> Webrev: http://cr.openjdk.java.net/~apetcher/8183591/webrev.00/
>> JBS: https://bugs.openjdk.java.net/browse/JDK-8183591
>>
>
More information about the security-dev
mailing list