Maintenance Notice

The bugs.java.com site will be undergoing maintenance on 15th Dec 2017 21:00 PST to 16th Dec 2017 1:00 AM PST.
JDK-6832374 : (reflect) malformed signature can cause parser to go into infinite loop
  • Type: Bug
  • Component: core-libs
  • Sub-Component: java.lang:reflect
  • Affected Version: 6u10
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • OS: linux
  • CPU: x86
  • Submitted: 2009-04-21
  • Updated: 2012-09-28
  • Resolved: 2012-05-07
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availabitlity Release.

To download the current JDK release, click here.
JDK 7 JDK 8
7u2Fixed 8 b04Fixed
Related Reports
Relates :  
Relates :  
Description
FULL PRODUCT VERSION :
$ java -version
java version "1.5.0_16"
$ java -version
openjdk version "1.7.0-internal"
1.6.0_12-b04
(I think you'll find this is in about every version of java.)

ADDITIONAL OS VERSION INFORMATION :
All OSes.

A DESCRIPTION OF THE PROBLEM :
A logic error in SignatureParser.java makes it possible for a malformed signature to push the JVM into an infinite loop, which only ends when heap is exhausted.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Compile and run the attached program.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Something like "parse error, malformed method descriptor."
ACTUAL -
<twiddle twiddle twiddle> boom.

ERROR MESSAGES/STACK TRACES THAT OCCUR :
Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
	at java.util.ArrayList.ensureCapacity(ArrayList.java:169)
	at java.util.ArrayList.add(ArrayList.java:351)
	at sun.reflect.generics.parser.SignatureParser.parseFormalTypeParameters(SignatureParser.java:190)
	at sun.reflect.generics.parser.SignatureParser.parseZeroOrMoreFormalTypeParameters(SignatureParser.java:177)
	at sun.reflect.generics.parser.SignatureParser.parseMethodTypeSignature(SignatureParser.java:436)
	at sun.reflect.generics.parser.SignatureParser.parseMethodSig(SignatureParser.java:141)
	at SigP.main(SigP.java:8)


REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
import sun.reflect.generics.parser.SignatureParser;

public class SigP {
  public static void main(String[] args) {
    SignatureParser sp = SignatureParser.make();
    String sig = "<T:Lscala/tools/nsc/symtab/Names;Lscala/tools/nsc/symtab/Symbols;Lscala/tools/nsc/symtab/Types;Lscala/tools/nsc/symtab/Scopes;Lscala/tools/nsc/symtab/Definitions;Lscala/tools/nsc/symtab/Constants;Lscala/tools/nsc/symtab/BaseTypeSeqs;Lscala/tools/nsc/symtab/InfoTransformers;Lscala/tools/nsc/symtab/StdNames;Lscala/tools/nsc/symtab/AnnotationInfos;Lscala/tools/nsc/symtab/AnnotationCheckers;Lscala/tools/nsc/ast/Trees;Lscala/ScalaObject.Symbol;>(TT;Lscala/tools/nsc/symtab/Names;Lscala/tools/nsc/symtab/Symbols;Lscala/tools/nsc/symtab/Types;Lscala/tools/nsc/symtab/Scopes;Lscala/tools/nsc/symtab/Definitions;Lscala/tools/nsc/symtab/Constants;Lscala/tools/nsc/symtab/BaseTypeSeqs;Lscala/tools/nsc/symtab/InfoTransformers;Lscala/tools/nsc/symtab/StdNames;Lscala/tools/nsc/symtab/AnnotationInfos;Lscala/tools/nsc/symtab/AnnotationCheckers;Lscala/tools/nsc/ast/Trees;Lscala/ScalaObject.Type;)TT;";
    
    sp.parseMethodSig(sig);
  }
}
---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
  Fix SignatureParser and rebuild the jdk.  The exploitable logic around line 210:

while (current() != '>') {
	ftps.add(parseFormalTypeParameter());
}

It is possible for parseFormalTypeParameter() not to advance the input, so this will loop indefinitely, allocating new empty type parameters until it exhausts its rope.

Comments
PUBLIC COMMENTS See http://hg.openjdk.java.net/jdk8/tl/jdk/rev/b1f99f9c2879
2011-08-23

SUGGESTED FIX See fix in 6476261.
2011-08-23

EVALUATION Infinite loops are bad.
2011-06-21