From e99208ee7d4870f3d27bc1d218d3fa6d099e5c83 Mon Sep 17 00:00:00 2001
From: Thomas Stuefe <stuefe@openjdk.org>
Date: Tue, 13 Sep 2016 11:38:31 +0200
Subject: [PATCH] 8165936: Potential Heap buffer overflow when seaching
 timezone info files

Readdir_r called with too small buffer

Reviewed-by: clanger, rriggs, okutsu, naoto
---
 .../java.base/unix/native/libjava/TimeZone_md.c   | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/jdk/src/java.base/unix/native/libjava/TimeZone_md.c b/jdk/src/java.base/unix/native/libjava/TimeZone_md.c
index 8b09a53be82..a7ab47e5684 100644
--- a/jdk/src/java.base/unix/native/libjava/TimeZone_md.c
+++ b/jdk/src/java.base/unix/native/libjava/TimeZone_md.c
@@ -128,13 +128,26 @@ findZoneinfoFile(char *buf, size_t size, const char *dir)
     char *dbuf = NULL;
     char *tz = NULL;
     int res;
+    long name_max = 0;
 
     dirp = opendir(dir);
     if (dirp == NULL) {
         return NULL;
     }
 
-    entry = (struct dirent64 *) malloc((size_t) pathconf(dir, _PC_NAME_MAX));
+    name_max = pathconf(dir, _PC_NAME_MAX);
+    // If pathconf did not work, fall back to NAME_MAX.
+    if (name_max < 0) {
+        name_max = NAME_MAX;
+    }
+    // Some older System V systems have a very small NAME_MAX size of 14; as
+    // there is no way to tell readdir_r the output buffer size, lets enforce
+    // a mimimum buffer size.
+    if (name_max < 1024) {
+        name_max = 1024;
+    }
+
+    entry = (struct dirent64 *)malloc(offsetof(struct dirent64, d_name) + name_max + 1);
     if (entry == NULL) {
         (void) closedir(dirp);
         return NULL;