<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>On 7/20/2017 1:32 PM, Bernd wrote:<br>
</p>
<blockquote
cite="mid:CABOR3+z6pY=FjBSi=3o58_kK+T002Ph7p5tTT=xsSt-7Ck0-jQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>Why not make a different utility method for this case. <br>
</div>
<br>
readRemaining() vs. readFully(int)<br>
<div><br>
The name makes not much sense and the code does not get easier
if both cases are in one method for no good reason.<br>
</div>
</div>
</blockquote>
<br>
I agree, but the method that takes a length argument is the only one
that is needed at the moment. We can add another method later if it
is needed. Are you saying there is something wrong with the
readFully(int) method in my last webrev? <br>
<br>
<blockquote
cite="mid:CABOR3+z6pY=FjBSi=3o58_kK+T002Ph7p5tTT=xsSt-7Ck0-jQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>And I wonder if allocating a MAXINTEGER buffer from
untrusted source is a good idea.<br>
</div>
</div>
</blockquote>
<br>
This method will only allocate a large buffer if the untrusted
source actually sent a large amount of bytes. <br>
<br>
<blockquote
cite="mid:CABOR3+z6pY=FjBSi=3o58_kK+T002Ph7p5tTT=xsSt-7Ck0-jQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Gruss<br>
</div>
<div>Bernd<br>
</div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2017-07-20 15:49 GMT+02:00 Adam
Petcher <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:adam.petcher@oracle.com" target="_blank">adam.petcher@oracle.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Oops.
Better to throw an IOException when a negative length is
given to readFully.<br>
<br>
Webrev: <a moz-do-not-send="true"
href="http://cr.openjdk.java.net/%7Eapetcher/8183591/webrev.02/"
rel="noreferrer" target="_blank">http://cr.openjdk.java.net/~ap<wbr>etcher/8183591/webrev.02/</a>
<div class="HOEnZb">
<div class="h5"><br>
<br>
<br>
On 7/18/2017 1:55 PM, Adam Petcher wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
Some additional investigation revealed that
IOUtils.readFully() is only used by DER, JKS, and
Kerberos. None of these need the "read to the end
of the buffer" feature. This behavior of
readFully() is confusing, so it is probably best
to remove it.<br>
<br>
Webrev: <a moz-do-not-send="true"
href="http://cr.openjdk.java.net/%7Eapetcher/8183591/webrev.01/"
rel="noreferrer" target="_blank">http://cr.openjdk.java.net/~ap<wbr>etcher/8183591/webrev.01/</a><br>
<br>
<br>
On 7/12/2017 2:38 PM, Adam Petcher wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0
0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
This is a bug fix for a corner case in which a
DER value has length equal to Integer.MAX_VALUE.
The code uses IOUtils.readFully() to read the
value, which interprets length=Integer.MAX_VALUE
to mean "read to the end." The result is that no
exception will be thrown when fewer then
Integer.MAX_VALUE bytes are read from the
stream. The fix adds a check after the
readFully() to ensure that the expected number
of bytes were read.<br>
<br>
Webrev: <a moz-do-not-send="true"
href="http://cr.openjdk.java.net/%7Eapetcher/8183591/webrev.00/"
rel="noreferrer" target="_blank">http://cr.openjdk.java.net/~ap<wbr>etcher/8183591/webrev.00/</a><br>
JBS: <a moz-do-not-send="true"
href="https://bugs.openjdk.java.net/browse/JDK-8183591"
rel="noreferrer" target="_blank">https://bugs.openjdk.java.net/<wbr>browse/JDK-8183591</a><br>
<br>
</blockquote>
<br>
</blockquote>
<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>