On 7/12/2017 6:27 PM, Bernd Eckenfels wrote:
BTW: Can in.available() be < length as well? In that case then
exception before your changed line would be misleading.
Yes. I changed the text of that exception to make it a bit more general,
and made the text of the new exception match.
New webrev: http://cr.openjdk.java.net/~apetcher/8183591/webrev.01/
Gruss
Bernd
Gruss
Bernd
--
http://bernd.eckenfels.net
------------------------------------------------------------------------
*From:* security-dev <security-dev-boun...@openjdk.java.net> on behalf
of Adam Petcher <adam.petc...@oracle.com>
*Sent:* Wednesday, July 12, 2017 8:38:25 PM
*To:* security-dev@openjdk.java.net
*Subject:* RFR 8183591: Incorrect behavior when reading DER value with
Integer.MAX_VALUE length
This is a bug fix for a corner case in which a DER value has length
equal to Integer.MAX_VALUE. The code uses IOUtils.readFully() to read
the value, which interprets length=Integer.MAX_VALUE to mean "read to
the end." The result is that no exception will be thrown when fewer then
Integer.MAX_VALUE bytes are read from the stream. The fix adds a check
after the readFully() to ensure that the expected number of bytes were
read.
Webrev: http://cr.openjdk.java.net/~apetcher/8183591/webrev.00/
<http://cr.openjdk.java.net/%7Eapetcher/8183591/webrev.00/>
JBS: https://bugs.openjdk.java.net/browse/JDK-8183591
