8336833: Endless loop in Javap ClassWriter

Reviewed-by: liach
2025-08-27 14:54:52 +02:00 · 2024-07-22 07:33:29 +00:00 · 2024-07-22 07:33:29 +00:00 · 0db6c15efe
commit 0db6c15efe
parent 4da9915875
2 changed files with 24 additions and 2 deletions
--- a/src/java.base/share/classes/jdk/internal/classfile/impl/AbstractInstruction.java
+++ b/src/java.base/share/classes/jdk/internal/classfile/impl/AbstractInstruction.java
@ -317,7 +317,7 @@ public abstract sealed class AbstractInstruction
            int pad = ap - (pos + 1);
            int low = code.classReader.readInt(ap + 4);
            int high = code.classReader.readInt(ap + 8);
-            if (high < low || high - low > code.codeLength >> 2) {
+            if (high < low || (long)high - low > code.codeLength >> 2) {
                throw new IllegalArgumentException("Invalid tableswitch values low: " + low + " high: " + high);
            }
            int cnt = high - low + 1;
--- a/test/jdk/jdk/classfile/LimitsTest.java
+++ b/test/jdk/jdk/classfile/LimitsTest.java
@ -23,7 +23,7 @@
 /*
 * @test
- * @bug 8320360 8330684 8331320 8331655 8331940 8332486 8335820
+ * @bug 8320360 8330684 8331320 8331655 8331940 8332486 8335820 8336833
 * @summary Testing ClassFile limits.
 * @run junit LimitsTest
 */
@ -168,6 +168,28 @@ class LimitsTest {
                                    b.writeU2(0);//exception handlers
                                    b.writeU2(0);//attributes
                                }})))).methods().get(0).code().get().elementList());
        assertThrows(IllegalArgumentException.class, () ->
                ClassFile.of().parse(ClassFile.of().build(ClassDesc.of("TableSwitchClass"), cb -> cb.withMethod(
                "tableSwitchMethod", MethodTypeDesc.of(ConstantDescs.CD_void), 0, mb ->
                        ((DirectMethodBuilder)mb).writeAttribute(new UnboundAttribute.AdHocAttribute<CodeAttribute>(Attributes.code()) {
                                @Override
                                public void writeBody(BufWriter b) {
                                    b.writeU2(-1);//max stack
                                    b.writeU2(-1);//max locals
                                    b.writeInt(20);
                                    b.writeU1(Opcode.NOP.bytecode());
                                    b.writeU1(Opcode.NOP.bytecode());
                                    b.writeU1(Opcode.NOP.bytecode());
                                    b.writeU1(Opcode.NOP.bytecode());
                                    b.writeU1(Opcode.TABLESWITCH.bytecode());
                                    b.writeU1(0); //padding
                                    b.writeU2(0); //padding
                                    b.writeInt(0); //default
                                    b.writeInt(Integer.MIN_VALUE); //low
                                    b.writeInt(Integer.MAX_VALUE - 4); //high to jump back and cause infinite loop
                                    b.writeU2(0);//exception handlers
                                    b.writeU2(0);//attributes
                                }})))).methods().get(0).code().get().elementList());
    }
    @Test