JDK-6832374 : (reflect) malformed signature can cause parser to go into infinite loop
  • Type: Bug
  • Component: core-libs
  • Sub-Component: java.lang:reflect
  • Affected Version: 6u10
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • OS: linux
  • CPU: x86
  • Submitted: 2009-04-21
  • Updated: 2012-09-28
  • Resolved: 2012-05-07
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availabitlity Release.

To download the current JDK release, click here.
JDK 7 JDK 8
7u2Fixed 8 b04Fixed
Related Reports
Relates :  
Relates :  
Description
FULL PRODUCT VERSION :
$ java -version
java version "1.5.0_16"
$ java -version
openjdk version "1.7.0-internal"
1.6.0_12-b04
(I think you'll find this is in about every version of java.)

ADDITIONAL OS VERSION INFORMATION :
All OSes.

A DESCRIPTION OF THE PROBLEM :
A logic error in SignatureParser.java makes it possible for a malformed signature to push the JVM into an infinite loop, which only ends when heap is exhausted.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Compile and run the attached program.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Something like "parse error, malformed method descriptor."
ACTUAL -
<twiddle twiddle twiddle> boom.

ERROR MESSAGES/STACK TRACES THAT OCCUR :
Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
	at java.util.ArrayList.ensureCapacity(ArrayList.java:169)
	at java.util.ArrayList.add(ArrayList.java:351)
	at sun.reflect.generics.parser.SignatureParser.parseFormalTypeParameters(SignatureParser.java:190)
	at sun.reflect.generics.parser.SignatureParser.parseZeroOrMoreFormalTypeParameters(SignatureParser.java:177)
	at sun.reflect.generics.parser.SignatureParser.parseMethodTypeSignature(SignatureParser.java:436)
	at sun.reflect.generics.parser.SignatureParser.parseMethodSig(SignatureParser.java:141)
	at SigP.main(SigP.java:8)


REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
import sun.reflect.generics.parser.SignatureParser;

public class SigP {
  public static void main(String[] args) {
    SignatureParser sp = SignatureParser.make();
    String sig = "<T:Lscala/tools/nsc/symtab/Names;Lscala/tools/nsc/symtab/Symbols;Lscala/tools/nsc/symtab/Types;Lscala/tools/nsc/symtab/Scopes;Lscala/tools/nsc/symtab/Definitions;Lscala/tools/nsc/symtab/Constants;Lscala/tools/nsc/symtab/BaseTypeSeqs;Lscala/tools/nsc/symtab/InfoTransformers;Lscala/tools/nsc/symtab/StdNames;Lscala/tools/nsc/symtab/AnnotationInfos;Lscala/tools/nsc/symtab/AnnotationCheckers;Lscala/tools/nsc/ast/Trees;Lscala/ScalaObject.Symbol;>(TT;Lscala/tools/nsc/symtab/Names;Lscala/tools/nsc/symtab/Symbols;Lscala/tools/nsc/symtab/Types;Lscala/tools/nsc/symtab/Scopes;Lscala/tools/nsc/symtab/Definitions;Lscala/tools/nsc/symtab/Constants;Lscala/tools/nsc/symtab/BaseTypeSeqs;Lscala/tools/nsc/symtab/InfoTransformers;Lscala/tools/nsc/symtab/StdNames;Lscala/tools/nsc/symtab/AnnotationInfos;Lscala/tools/nsc/symtab/AnnotationCheckers;Lscala/tools/nsc/ast/Trees;Lscala/ScalaObject.Type;)TT;";
    
    sp.parseMethodSig(sig);
  }
}
---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
  Fix SignatureParser and rebuild the jdk.  The exploitable logic around line 210:

while (current() != '>') {
	ftps.add(parseFormalTypeParameter());
}

It is possible for parseFormalTypeParameter() not to advance the input, so this will loop indefinitely, allocating new empty type parameters until it exhausts its rope.

Comments
SUGGESTED FIX See fix in 6476261.
2011-08-23

PUBLIC COMMENTS See http://hg.openjdk.java.net/jdk8/tl/jdk/rev/b1f99f9c2879
2011-08-23

EVALUATION Infinite loops are bad.
2011-06-21