That's an interesting topic. From my understand, the length of an array is of type "int". So normally, the (offset + length) should not be great than integer.max_value. Of course, Hostile or improper code are not of the case.
What's interesting to me is that may be when we do additive operation for two "int" values, we may have to convert it to "long" in case of any overflow strictly. We are luck here because we have "long" type. But what about the additive operation for two "long" values? Jonathan, do you run into the problem in real world? Thanks & Regards, Xuelei On 5/29/2012 1:53 PM, Jonathan Lu wrote: > Hi Security-dev, > > Here's a patch for bug7172149, could anybody please help to take a look? > http://cr.openjdk.java.net/~luchsh/7172149/ > > The problem is that the range check in Signature.verify(byte[], int, > int) uses integer value to check whether (offset + length) is greater > than signature.length, but if (offset + length) overflows the check will > fail and ArrayIndexOutOfBoundsException will be thrown instead of > IllegalArgumentException.My proposed solution is to make a conversion > to long in the if block. > > Thanks! > - Jonathan >
