8059485: Resolve parsing ambiguity

Reviewed-by: mullan, vinnie
2026-04-17 10:20:33 +00:00 · 2014-10-08 19:13:57 +08:00 · 2014-10-08 19:13:57 +08:00 · 64881fb307
commit 64881fb307
parent 48ac606390
3 changed files with 23 additions and 5 deletions
--- a/jdk/src/java.base/share/classes/sun/security/util/DerIndefLenConverter.java
+++ b/jdk/src/java.base/share/classes/sun/security/util/DerIndefLenConverter.java
@ -156,12 +156,18 @@ class DerIndefLenConverter {
        }
        if (isLongForm(lenByte)) {
            lenByte &= LEN_MASK;
-            if (lenByte > 4)
+            if (lenByte > 4) {
                throw new IOException("Too much data");
-            if ((dataSize - dataPos) < (lenByte + 1))
+            }
+            if ((dataSize - dataPos) < (lenByte + 1)) {
                throw new IOException("Too little data");
-            for (int i = 0; i < lenByte; i++)
+            }
+            for (int i = 0; i < lenByte; i++) {
                curLen = (curLen << 8) + (data[dataPos++] & 0xff);
+            }
+            if (curLen < 0) {
+                throw new IOException("Invalid length bytes");
+            }
        } else {
           curLen = (lenByte & LEN_MASK);
        }
@ -188,10 +194,15 @@ class DerIndefLenConverter {
        }
        if (isLongForm(lenByte)) {
            lenByte &= LEN_MASK;
-            for (int i = 0; i < lenByte; i++)
+            for (int i = 0; i < lenByte; i++) {
                curLen = (curLen << 8) + (data[dataPos++] & 0xff);
-        } else
+            }
+            if (curLen < 0) {
+                throw new IOException("Invalid length bytes");
+            }
+        } else {
            curLen = (lenByte & LEN_MASK);
+        }
        writeLength(curLen);
        writeValue(curLen);
    }
--- a/jdk/src/java.base/share/classes/sun/security/util/DerInputStream.java
+++ b/jdk/src/java.base/share/classes/sun/security/util/DerInputStream.java
@ -577,6 +577,10 @@ public class DerInputStream {
                value <<= 8;
                value += 0x0ff & in.read();
            }
+            if (value < 0) {
+                throw new IOException("DerInputStream.getLength(): "
+                        + "Invalid length bytes");
+            }
        }
        return value;
    }
--- a/jdk/src/java.naming/share/classes/com/sun/jndi/ldap/BerDecoder.java
+++ b/jdk/src/java.naming/share/classes/com/sun/jndi/ldap/BerDecoder.java
@ -95,6 +95,9 @@ public final class BerDecoder extends Ber {
            for( int i = 0; i < lengthbyte; i++) {
                retval = (retval << 8) + (buf[offset++] & 0xff);
            }
+            if (retval < 0) {
+              throw new DecodeException("Invalid length bytes");
+            }
            return retval;
        } else {
            return lengthbyte;