Hi Xuelei,
Thanks for review!
On 05/29/2012 02:45 PM, Xuelei Fan wrote:
That's an interesting topic. From my understand, the length of an array
is of type "int". So normally, the (offset + length) should not be
great than integer.max_value. Of course, Hostile or improper code are
not of the case.
What's interesting to me is that may be when we do additive operation
for two "int" values, we may have to convert it to "long" in case of any
overflow strictly. We are luck here because we have "long" type. But
what about the additive operation for two "long" values
I think this issue is special, since it is about index value of Java
arrays, which is limited to smaller than Integer.MAX_VALUE according to
Java language specification, not other general conditions of comparing
integer or long values.
Jonathan, do you run into the problem in real world?
For now I am not quiet sure of whether it is from a real world problem,
but this problem does exhibit some weakness or behavior differences, right?
Thanks & regards
-Jonathan
Thanks& Regards,
Xuelei
On 5/29/2012 1:53 PM, Jonathan Lu wrote:
Hi Security-dev,
Here's a patch for bug7172149, could anybody please help to take a look?
http://cr.openjdk.java.net/~luchsh/7172149/
The problem is that the range check in Signature.verify(byte[], int,
int) uses integer value to check whether (offset + length) is greater
than signature.length, but if (offset + length) overflows the check will
fail and ArrayIndexOutOfBoundsException will be thrown instead of
IllegalArgumentException.My proposed solution is to make a conversion
to long in the if block.
Thanks!
- Jonathan
