JDK-4798379 : zip memcpy should have bounds assertions
  • Type: Bug
  • Component: core-libs
  • Sub-Component: java.util
  • Affected Version: 1.4.0
  • Priority: P4
  • Status: Closed
  • Resolution: Duplicate
  • OS: solaris_7
  • CPU: sparc
  • Submitted: 2003-01-02
  • Updated: 2003-01-15
  • Resolved: 2003-01-15
Related Reports
Duplicate :  
JDK-4772649 - Hotspot error/ZIP_Close function
Description
zip_util.c memcpy should check bounds before doing a memcpy
Comments
SUGGESTED FIX >> >> > >------- zip_util.c ------- >> >> > >*** /tmp/dq2aqYp Wed Dec 11 18:18:14 2002 >> >> > >--- zip_util.c Tue Nov 12 17:12:14 2002 >> >> > >*************** >> >> > >*** 767,772 **** >> >> > >--- 767,773 ---- >> >> > > jzentry *ze; >> >> > > >> >> > > #ifdef USE_MMAP >> >> > >+ jint start, end; >> >> > > locbuf = zip->maddr + zc->pos; >> >> > > #else >> >> > > /* Seek to beginning of LOC header */ >> >> > >*************** >> >> > >*** 811,816 **** >> >> > >--- 812,823 ---- >> >> > > ze->extra[1] = (unsigned char)(elen >> 8); >> >> > > >> >> > > #ifdef USE_MMAP >> >> > >+ start = off; >> >> > >+ end = start + elen; >> >> > >+ if( start < 0 || end > zip->len) { >> >> > >+ zip->msg = "ZIP_Read: memcpy: start or end out of range"; >> >> > >+ return NULL; >> >> > >+ } >> >> > > memcpy(&ze->extra[2], zip->maddr + off, elen); >> >> > > #else USE_MMAP >> >> > > /* Seek to begin of CEN header extra field */ >> >> > > >> >> > >
11-06-2004
EVALUATION This fix will keep zips with corrupt extra data sizes from crashing the VM. ###@###.### 2003-01-07 This bug is a duplicate of CTE bug 4772649. The suggested fix will be applied to the mantis workspace under that bugid. -- iag@sfbay 2003-01-15
07-01-2003