archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-08-28 15:24:43 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

8027252: Crash in interpreter because get_unsigned_2_byte_index_at_bcp reads 4 bytes

Browse source 
Use 2-byte loads to load indexes from the byte code stream to avoid out of bounds reads.

Reviewed-by: coleenp, sspitsyn
This commit is contained in:
Mikael Gerdin 2013-10-30 15:35:25 +01:00
parent 3e0a2a86bf
commit 0b4ed553d6
4 changed files with 14 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

2
hotspot/src/cpu/x86/vm/interp_masm_x86_32.cpp
View file

@ -196,7 +196,7 @@ void InterpreterMacroAssembler::check_and_handle_earlyret(Register java_thread)
void InterpreterMacroAssembler::get_unsigned_2_byte_index_at_bcp(Register reg, int bcp_offset) { void InterpreterMacroAssembler::get_unsigned_2_byte_index_at_bcp(Register reg, int bcp_offset) {
assert(bcp_offset >= 0, "bcp is still pointing to start of bytecode"); assert(bcp_offset >= 0, "bcp is still pointing to start of bytecode");
movl(reg, Address(rsi, bcp_offset)); load_unsigned_short(reg, Address(rsi, bcp_offset));
bswapl(reg); bswapl(reg);
shrl(reg, 16); shrl(reg, 16);
} }

2
hotspot/src/cpu/x86/vm/interp_masm_x86_64.cpp
View file

@ -192,7 +192,7 @@ void InterpreterMacroAssembler::get_unsigned_2_byte_index_at_bcp(
Register reg, Register reg,
int bcp_offset) { int bcp_offset) {
assert(bcp_offset >= 0, "bcp is still pointing to start of bytecode"); assert(bcp_offset >= 0, "bcp is still pointing to start of bytecode");
movl(reg, Address(r13, bcp_offset)); load_unsigned_short(reg, Address(r13, bcp_offset));
bswapl(reg); bswapl(reg);
shrl(reg, 16); shrl(reg, 16);
} }

8
hotspot/src/cpu/x86/vm/templateTable_x86_32.cpp
View file

@ -558,7 +558,7 @@ void TemplateTable::aload() {
void TemplateTable::locals_index_wide(Register reg) { void TemplateTable::locals_index_wide(Register reg) {
__ movl(reg, at_bcp(2)); __ load_unsigned_short(reg, at_bcp(2));
__ bswapl(reg); __ bswapl(reg);
__ shrl(reg, 16); __ shrl(reg, 16);
__ negptr(reg); __ negptr(reg);
@ -1552,7 +1552,11 @@ void TemplateTable::branch(bool is_jsr, bool is_wide) {
InvocationCounter::counter_offset(); InvocationCounter::counter_offset();
// Load up EDX with the branch displacement // Load up EDX with the branch displacement
__ movl(rdx, at_bcp(1)); if (is_wide) {
__ movl(rdx, at_bcp(1));
} else {
__ load_signed_short(rdx, at_bcp(1));
}
__ bswapl(rdx); __ bswapl(rdx);
if (!is_wide) __ sarl(rdx, 16); if (!is_wide) __ sarl(rdx, 16);
LP64_ONLY(__ movslq(rdx, rdx)); LP64_ONLY(__ movslq(rdx, rdx));

8
hotspot/src/cpu/x86/vm/templateTable_x86_64.cpp
View file

@ -568,7 +568,7 @@ void TemplateTable::aload() {
} }
void TemplateTable::locals_index_wide(Register reg) { void TemplateTable::locals_index_wide(Register reg) {
__ movl(reg, at_bcp(2)); __ load_unsigned_short(reg, at_bcp(2));
__ bswapl(reg); __ bswapl(reg);
__ shrl(reg, 16); __ shrl(reg, 16);
__ negptr(reg); __ negptr(reg);
@ -1575,7 +1575,11 @@ void TemplateTable::branch(bool is_jsr, bool is_wide) {
InvocationCounter::counter_offset(); InvocationCounter::counter_offset();
// Load up edx with the branch displacement // Load up edx with the branch displacement
__ movl(rdx, at_bcp(1)); if (is_wide) {
__ movl(rdx, at_bcp(1));
} else {
__ load_signed_short(rdx, at_bcp(1));
}
__ bswapl(rdx); __ bswapl(rdx);
if (!is_wide) { if (!is_wide) {