# HG changeset patch # User igerasim # Date 1470850431 -10800 # Wed Aug 10 20:33:51 2016 +0300 # Node ID 9b0da373b3dd65a56fbc07ee07a7013fd4e707d2 # Parent 3f523e22d1519e44a60e9d312609f62e2d22d849 imported patch 8163518-Integer-overflow-in-StringBufferInputStream-read-byte-int-int diff --git a/src/java.base/share/classes/java/io/CharArrayReader.java b/src/java.base/share/classes/java/io/CharArrayReader.java --- a/src/java.base/share/classes/java/io/CharArrayReader.java +++ b/src/java.base/share/classes/java/io/CharArrayReader.java @@ -131,8 +131,10 @@ if (pos >= count) { return -1; } - if (pos + len > count) { - len = count - pos; + + int avail = count - pos; + if (len > avail) { + len = avail; } if (len <= 0) { return 0; @@ -158,14 +160,13 @@ public long skip(long n) throws IOException { synchronized (lock) { ensureOpen(); - if (pos + n > count) { - n = count - pos; + + long k = count - pos; + if (n < k) { + k = (n <= 0) ? 0 : n; } - if (n < 0) { - return 0; - } - pos += n; - return n; + pos += k; + return k; } } diff --git a/src/java.base/share/classes/java/io/StringBufferInputStream.java b/src/java.base/share/classes/java/io/StringBufferInputStream.java --- a/src/java.base/share/classes/java/io/StringBufferInputStream.java +++ b/src/java.base/share/classes/java/io/StringBufferInputStream.java @@ -118,8 +118,10 @@ if (pos >= count) { return -1; } - if (pos + len > count) { - len = count - pos; + + int avail = count - pos; + if (len > avail) { + len = avail; } if (len <= 0) { return 0; diff --git a/test/java/io/CharArrayReader/OverflowInRead.java b/test/java/io/CharArrayReader/OverflowInRead.java new file mode 100644 --- /dev/null +++ b/test/java/io/CharArrayReader/OverflowInRead.java @@ -0,0 +1,50 @@ +/* + * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* @test + * @bug 8163518 + * @summary Integer overflow when reading in large buffer + * @requires (os.simpleArch == "x64" & os.maxMemory > 8g) + * @run main/othervm -Xmx8g OverflowInRead + */ + +import java.io.CharArrayReader; + +public class OverflowInRead { + public static void main(String[] args) throws Exception { + char[] a = "_123456789_123456789_123456789_123456789" + .toCharArray(); // a.length > 33 + try (CharArrayReader car = new CharArrayReader(a)) { + int len1 = 33; + char[] buf1 = new char[len1]; + if (car.read(buf1, 0, len1) != len1) + throw new Exception("Expected to read " + len1 + " chars"); + + int len2 = Integer.MAX_VALUE - 32; + char[] buf2 = new char[len2]; + int expLen2 = a.length - len1; + if (car.read(buf2, 0, len2) != expLen2) + throw new Exception("Expected to read " + expLen2 + " chars"); + } + } +} diff --git a/test/java/io/CharArrayReader/OverflowInSkip.java b/test/java/io/CharArrayReader/OverflowInSkip.java new file mode 100644 --- /dev/null +++ b/test/java/io/CharArrayReader/OverflowInSkip.java @@ -0,0 +1,51 @@ +/* + * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* @test + * @bug 8163518 + * @summary Integer overflow when skipping a lot + */ + +import java.io.CharArrayReader; + +public class OverflowInSkip { + public static void main(String[] args) throws Exception { + char[] a = "_123456789_123456789_123456789_123456789" + .toCharArray(); // a.length > 33 + try (CharArrayReader car = new CharArrayReader(a)) { + long small = 33; + long big = Long.MAX_VALUE; + + long smallSkip = car.skip(small); + if (smallSkip != small) + throw new Exception("Expected to skip " + small + + " chars, but skipped " + smallSkip); + + long expSkip = a.length - small; + long bigSkip = car.skip(big); + if (bigSkip != expSkip) + throw new Exception("Expected to skip " + expSkip + + " chars, but skipped " + bigSkip); + } + } +} diff --git a/test/java/io/StringBufferInputStream/OverflowInRead.java b/test/java/io/StringBufferInputStream/OverflowInRead.java new file mode 100644 --- /dev/null +++ b/test/java/io/StringBufferInputStream/OverflowInRead.java @@ -0,0 +1,49 @@ +/* + * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* @test + * @bug 8163518 + * @summary Integer overflow when reading in large buffer + * @requires (os.simpleArch == "x64" & os.maxMemory > 4g) + * @run main/othervm -Xmx4g OverflowInRead + */ + +import java.io.StringBufferInputStream; + +public class OverflowInRead { + public static void main(String[] args) throws Exception { + String s = "_123456789_123456789_123456789_123456789"; // s.length() > 33 + try (StringBufferInputStream sbis = new StringBufferInputStream(s)) { + int len1 = 33; + byte[] buf1 = new byte[len1]; + if (sbis.read(buf1, 0, len1) != len1) + throw new Exception("Expected to read " + len1 + " bytes"); + + int len2 = Integer.MAX_VALUE - 32; + byte[] buf2 = new byte[len2]; + int expLen2 = s.length() - len1; + if (sbis.read(buf2, 0, len2) != expLen2) + throw new Exception("Expected to read " + expLen2 + " bytes"); + } + } +}