In libparser/java.c, there is a fixed-size buffer which is filled with
potentially unbounded-length data due to multiple layers of nesting.
Specifically, an out-of-bounds write to completename can occur due to
unchecked concatenation of nested class names and separators in the '{'
handler. At lines ~91–106, p points into completename and is advanced via
'*p++ = '.';' and 'while (*q) *p++ = *q++;' with no bounds checking. With
enough nesting or long class names, p exceeds the 1024-byte buffer.
Note: each name component is limited to 511 characters, but there is no
limit on the number of components.
A fix to safely support arbitrary depths should switch to using a heap
buffer which is reallocated as needed to fit the current name.
Note: this bug was found by Theori's Xint Code analysis.
Thanks,
Tim Becker
Theori
