Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8212779

ADL Parser does not check allocation return values in all cases

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: P3
    • Resolution: Fixed
    • Affects Version/s: 12
    • Fix Version/s: 12
    • Component/s: hotspot
    • Subcomponent:
    • Resolved In Build:
      b21

      Description

      An ADLC component suffers for multiple NULL pointer dereferences. Please
      add validation of malloc()

      Affected file:
      jdk-cdffba164671/src/hotspot/share/adlc/formssel.cpp

      Affected code1 (when build string representation of subtree):
      -------------------------------
      void MatchNode::build_internalop( ) {
        char *iop, *subtree;
        const char *lstr, *rstr;
        // Build string representation of subtree
        // Operation lchildType rchildType
        int len = (int)strlen(_opType) + 4;
        lstr = (_lChild) ? ((_lChild->_internalop) ?
                             _lChild->_internalop : _lChild->_opType) : "";
        rstr = (_rChild) ? ((_rChild->_internalop) ?
                             _rChild->_internalop : _rChild->_opType) : "";
        len += (int)strlen(lstr) + (int)strlen(rstr);
        subtree = (char *)malloc(len);
        sprintf(subtree,"_%s_%s_%s", _opType, lstr, rstr); <=== Potential overflow
      -------------------------------

      Affected code2 (recursively swap specified commutative operation with subtree
      operands):
      -------------------------------
      void MatchRule::matchrule_swap_commutative_op(const char* instr_ident, int
      count, int& match_rules_cnt) {
        assert(match_rules_cnt < 100," too many match rule clones");
        // Clone
        MatchRule* clone = new MatchRule(_AD, this);
        // Swap operands of commutative operation
        ((MatchNode*)clone)->swap_commutative_op(true, count);
        char* buf = (char*) malloc(strlen(instr_ident) + 4);
        sprintf(buf, "%s_%d", instr_ident, match_rules_cnt++); <=== Potential
      overflow
      -------------------------------

      Reported by Maksymilian Arciemowicz

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                jcm Jamsheed C M
                Reporter:
                ahgross Andrew Gross
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: