BTW: Can in.available() be < length as well? In that case then exception before your changed line would be misleading.
Gruss Bernd Gruss Bernd -- http://bernd.eckenfels.net ________________________________ From: security-dev <security-dev-boun...@openjdk.java.net> on behalf of Adam Petcher <adam.petc...@oracle.com> Sent: Wednesday, July 12, 2017 8:38:25 PM To: security-dev@openjdk.java.net Subject: RFR 8183591: Incorrect behavior when reading DER value with Integer.MAX_VALUE length This is a bug fix for a corner case in which a DER value has length equal to Integer.MAX_VALUE. The code uses IOUtils.readFully() to read the value, which interprets length=Integer.MAX_VALUE to mean "read to the end." The result is that no exception will be thrown when fewer then Integer.MAX_VALUE bytes are read from the stream. The fix adds a check after the readFully() to ensure that the expected number of bytes were read. Webrev: http://cr.openjdk.java.net/~apetcher/8183591/webrev.00/ JBS: https://bugs.openjdk.java.net/browse/JDK-8183591
