Bug ID: JDK-6832374 (reflect) malformed signature can cause parser to go into infinite loop

Type: Bug
Component: core-libs
Sub-Component: java.lang:reflect
Affected Version: 6u10

Priority: P3
Status: Closed
Resolution: Fixed
OS: linux
CPU: x86

Submitted: 2009-04-21
Updated: 2012-09-28
Resolved: 2012-05-07

JDK 7	JDK 8
7u2Fixed	8 b04Fixed

FULL PRODUCT VERSION :
$ java -version
java version "1.5.0_16"
$ java -version
openjdk version "1.7.0-internal"
1.6.0_12-b04
(I think you'll find this is in about every version of java.)

ADDITIONAL OS VERSION INFORMATION :
All OSes.

A DESCRIPTION OF THE PROBLEM :
A logic error in SignatureParser.java makes it possible for a malformed signature to push the JVM into an infinite loop, which only ends when heap is exhausted.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Compile and run the attached program.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Something like "parse error, malformed method descriptor."
ACTUAL -
<twiddle twiddle twiddle> boom.

ERROR MESSAGES/STACK TRACES THAT OCCUR :
Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
	at java.util.ArrayList.ensureCapacity(ArrayList.java:169)
	at java.util.ArrayList.add(ArrayList.java:351)
	at sun.reflect.generics.parser.SignatureParser.parseFormalTypeParameters(SignatureParser.java:190)
	at sun.reflect.generics.parser.SignatureParser.parseZeroOrMoreFormalTypeParameters(SignatureParser.java:177)
	at sun.reflect.generics.parser.SignatureParser.parseMethodTypeSignature(SignatureParser.java:436)
	at sun.reflect.generics.parser.SignatureParser.parseMethodSig(SignatureParser.java:141)
	at SigP.main(SigP.java:8)


REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
import sun.reflect.generics.parser.SignatureParser;

public class SigP {
  public static void main(String[] args) {
    SignatureParser sp = SignatureParser.make();
    String sig = "<T:Lscala/tools/nsc/symtab/Names;Lscala/tools/nsc/symtab/Symbols;Lscala/tools/nsc/symtab/Types;Lscala/tools/nsc/symtab/Scopes;Lscala/tools/nsc/symtab/Definitions;Lscala/tools/nsc/symtab/Constants;Lscala/tools/nsc/symtab/BaseTypeSeqs;Lscala/tools/nsc/symtab/InfoTransformers;Lscala/tools/nsc/symtab/StdNames;Lscala/tools/nsc/symtab/AnnotationInfos;Lscala/tools/nsc/symtab/AnnotationCheckers;Lscala/tools/nsc/ast/Trees;Lscala/ScalaObject.Symbol;>(TT;Lscala/tools/nsc/symtab/Names;Lscala/tools/nsc/symtab/Symbols;Lscala/tools/nsc/symtab/Types;Lscala/tools/nsc/symtab/Scopes;Lscala/tools/nsc/symtab/Definitions;Lscala/tools/nsc/symtab/Constants;Lscala/tools/nsc/symtab/BaseTypeSeqs;Lscala/tools/nsc/symtab/InfoTransformers;Lscala/tools/nsc/symtab/StdNames;Lscala/tools/nsc/symtab/AnnotationInfos;Lscala/tools/nsc/symtab/AnnotationCheckers;Lscala/tools/nsc/ast/Trees;Lscala/ScalaObject.Type;)TT;";
    
    sp.parseMethodSig(sig);
  }
}
---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
  Fix SignatureParser and rebuild the jdk.  The exploitable logic around line 210:

while (current() != '>') {
	ftps.add(parseFormalTypeParameter());
}

It is possible for parseFormalTypeParameter() not to advance the input, so this will loop indefinitely, allocating new empty type parameters until it exhausts its rope.

SUGGESTED FIX See fix in 6476261.

23-08-2011

PUBLIC COMMENTS See http://hg.openjdk.java.net/jdk8/tl/jdk/rev/b1f99f9c2879

23-08-2011

EVALUATION Infinite loops are bad.

21-06-2011

Relates :	JDK-7052878 - javac needs tests for reading/writing generic signature attributes
Relates :	JDK-6199150 - (reflect) Bad interaction between generic signatures, inner classes, and reflection