[15] Review request for 8242498: Invalid "sun.awt.TimedWindowEvent" object leads to JVM crash

Philip Race philip.race at oracle.com
Mon Apr 13 19:22:33 UTC 2020

1594                 !env->IsInstanceOf(jOpposite, windowCls)) {

I am not entirely sure what this does if windowCls is NULL but the docs 
don't mention any exceptions :-
So I think it will just return false - and if windowCls is NULL we have 
big problems anyay.

So +1


On 4/10/20, 1:32 PM, Anton Litvinov wrote:
> Hello,
> Could you please review the following fix for the bug.
> Bug: https://bugs.openjdk.java.net/browse/JDK-8242498
> Webrev: http://cr.openjdk.java.net/~alitvinov/8242498/jdk15/webrev.00
> The bug is the JVM crash, which occurs because a not existing method 
> is called on a Java object which is not an instance of the expected 
> Java class that has such a method. Such discrepancy of the expected 
> type and the type in runtime is possible, because the Java object, 
> whose field value is set to the instance of the not expected Java 
> class, is instantiated by AWT native code through JNI invocation. 
> Since JNI does not validate arguments passed to Java class constructor 
> and since AWT native code does not validate arguments prior to 
> invoking Java class constructor through JNI, such invalid object is 
> created.
> The fact that in the method 
> "java.awt.DefaultKeyboardFocusManager.dispatchEvent(AWTEvent)" in the 
> case "WindowEvent.WINDOW_LOST_FOCUS" of switch operator the variable 
> defined by the expression "Window oppositeWindow = 
> we.getOppositeWindow();" in runtime is instance of 
> "java.awt.Component" class instead of "java.awt.Window" class. The 
> crash occurs during attempt to call the method 
> "java.awt.Window.getTemporaryLostComponent()" on the object 
> "oppositeWindow" which in runtime is "Component" instead of the 
> expected "Window" object, and since the method 
> "getTemporaryLostComponent()" does not exist in "java.awt.Component" 
> class JVM cannot find this method and initiates the crash.
> Transfer of the object of the incompatible type "java.awt.Component" 
> instead of an object of "java.awt.Window" type as "opposite" argument 
> to the constructor "TimedWindowEvent(Window source, int id, Window 
> opposite, int oldState, int newState, long time)" of the class 
> "sun.awt.TimedWindowEvent" through JNI invocation. This JNI invocation 
> occurs in the C++ class method "AwtWindow::SendWindowEvent(jint, HWND, 
> jint, jint)" in the file 
> "src/java.desktop/windows/native/libawt/windows/awt_Window.cpp". The 
> exact expression creating the instance of Java class 
> "TimedWindowEvent" with the invalid value of the field "opposite" is 
> following:
> jobject event = env->NewObject(wClassEvent, wEventInitMID, target, id,
>         jOpposite, oldState, newState, ::JVM_CurrentTimeMillis(NULL, 0));
> The fix changes "AwtWindow::SendWindowEvent(jint, HWND, jint, jint)" 
> method in the file "awt_Window.cpp" to introduce the code which 
> verifies that the Java object "jOpposite" is really instance of the 
> class "java.awt.Window", and if it is not then the fix tries to get 
> Java object corresponding to parent window of the original "opposite" 
> HWND. And if this parent window object also is not instance of 
> "java.awt.Window" class, then NULL value is passed to the constructor 
> of "TimedWindowEvent" class.
> Thank you,
> Anton

