JDK-8016513 : Webstart throws StringIndexOutOfBoundsException using property and Java-VM-args
  • Type: Bug
  • Component: deploy
  • Sub-Component: webstart
  • Affected Version: 7,8
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • OS: linux
  • Submitted: 2013-06-13
  • Updated: 2017-02-06
  • Resolved: 2013-06-26
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
7u60Fixed 8 b97Fixed
Related Reports
Duplicate :  
Relates :  
javaws fails to initialize and throw StringIndexOutOfBoundsException
when using in resources tag a valid java-vm-args option with character "=",
together with a valid property


java.lang.StringIndexOutOfBoundsException: String index out of range: -5
at java.lang.String.substring(String.java:1911)
at com.sun.deploy.util.Property.<init>(Unknown Source)
at com.sun.deploy.util.Property.createProperty(Unknown Source)
at com.sun.deploy.util.JVMParameters$ArgumentSet.addArgument(Unknown Source)
at com.sun.deploy.util.JVMParameters.addArgumentImpl(Unknown Source)
at com.sun.deploy.util.JVMParameters.parseImpl(Unknown Source)
at com.sun.deploy.util.JVMParameters.parseTrustedOptions(Unknown Source)
at com.sun.javaws.Main.initializeExecutionEnvironment(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Thread.java:722)

Steps to reproduce:
1. Start dynamictree-webstart_lab_prop.jnlp using javaws

Actual result:
The application does not start. The corrsponding javaws trace file contains StringIndexOutOfBoundsException (see above)

Expected result:
The application should start successfully.
Verified with jre8-b111 on Mac 10.8.4

regression_test_src: http://sqe-hg.us.oracle.com/hg/index.cgi/testbase/javase/functional/8/deployment2/file/b490f0ed51af/new_framework/tests/javaws/vmargs/src/vmargsTest.java (vmargsTest::testsignedNewSize)

On Jul 2, 2013, at 3:29 PM, Penni Henry wrote: > Thanks - Jeannette - let me know if you give your OK now. We already have SQE-OK - so we're just waiting for your approval. > > - Penni Per Jeannette: - yes, thanks!

Chris Ries from VT reviewed and approved: Hi Thomas, I looked into this and the change doesn't appear to introduce any security issues. The security-related checks (arguments/properties that are not allowed, characters that lead to command-line injection issues, etc.) are performed outside of StringQuoteUtil and after it has broken up the command-line, so this change does not appear to affect them at all (even if the command-line got broken up differently as a result of this change, the checks performed afterwards should catch any problems that result). Thanks, Chris

Per Jeannette: I've asked Drew Gross to take a quick look. I will wait for the results from Jeannette/Drew before I mark this approved.

The fix does not cause any new vulnerabilities. It just validates the input string, if it is required. I tested the changes on MacOS, Linux and Windows, the fix looks OK. Removing nmi label.

I'm adding nmi label - please remove this once you address Jeannette's comments and at that point - this request will show up in the queue.

Please address/confirm Jeannette's comments before I approve this bug.

Issue is only applicable to MacOS and Linux . Due to this bug, there is no way to use valid/secure jvm args with "=" sign in JNLP file. Webstart will not launch and die silently with StringIndexOutOfBounds exception e.g Something like this in JNLP will not work: java-vm-args="-XX:MinHeapFreeRatio=20 -XX:MaxHeapFreeRatio=35" SQE-OK to take this fix for 7u40

On some OS such as Linux, Mac OS X the method StringQuoteUtil.parseCommandLine() receives quoted string containing multiple JVM parameter. This causes an incorrect parsing and as a result the application fail to start with StringIndexOutOfBoundsException. Fix: StringQuoteUtil.parseCommandLine() should unquote an input string, if any.