Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-6788196

(porting) Bounds checks in io_util.c rely on undefined behaviour

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: P4
    • Resolution: Fixed
    • Affects Version/s: 5.0u17, 7
    • Fix Version/s: 7
    • Component/s: core-libs
    • Subcomponent:
    • Resolved In Build:
      b44
    • CPU:
      x86
    • OS:
      linux

      Backports

        Description

        FULL PRODUCT VERSION :
        java version "1.6.0_0"
        OpenJDK Runtime Environment (build 1.6.0_0-b12)
        OpenJDK Core VM (build 14.0-b08, interpreted mode)
        (built from icedtea6-ce9956fe8908)

        ADDITIONAL OS VERSION INFORMATION :
        All platforms

        A DESCRIPTION OF THE PROBLEM :
        In jdk/src/share/native/java/io/io_util.c, both readBytes and writeBytes include the following array bounds check:

          if ((off < 0) || (off > datalen) ||
              (len < 0) || ((off + len) > datalen) || ((off + len) < 0)) {
                 JNU_ThrowByName(env, "java/lang/IndexOutOfBoundsException", 0);
                 return -1;
             }

        off, len and datalen are all signed 32-bit integers. The result of (off + len) is undefined in C if the result overflows, which can cause the exception not to be thrown. This causes testsuite failures on 32-bit Linux PowerPC on Fedora 10.

        STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
        Compile the test case and run it on 32-bit Linux PowerPC on Fedora 10.

        EXPECTED VERSUS ACTUAL BEHAVIOR :
        EXPECTED -
        Exception in thread "main" java.lang.IndexOutOfBoundsException
        at java.io.FileInputStream.readBytes(Native Method)
        at java.io.FileInputStream.read(FileInputStream.java:236)
        at Test.main(Test.java:5)

        ACTUAL -
        Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException
        at java.io.FileInputStream.readBytes(Native Method)
        at java.io.FileInputStream.read(FileInputStream.java:236)
        at Test.main(Test.java:5)

        Note that the thrown exception is different; I'm guessing it comes from the (*env)->SetByteArrayRegion further down readBytes.

        REPRODUCIBILITY :
        This bug can be reproduced always.

        ---------- BEGIN SOURCE ----------
        import java.io.FileInputStream;
        class Test {
          public static void main(String[] args) throws Exception {
            byte[] b = new byte[20];
            (new FileInputStream("/bin/ls")).read(b, 1, 0x7fffffff);
          }
        }

        ---------- END SOURCE ----------

        CUSTOMER SUBMITTED WORKAROUND :
        http://icedtea.classpath.org/hg/icedtea6/file/ce9956fe8908/patches/icedtea-io_util-overflow.patch

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  alanb Alan Bateman
                  Reporter:
                  ndcosta Nelson Dcosta (Inactive)
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:
                    Imported:
                    Indexed: