8300596: Enhance Jar Signature validation

Reviewed-by: mullan, rhalade, mschoene, weijun

src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java

@@ -36,6 +36,7 @@ import java.util.*;
 import java.util.jar.Attributes;
 import java.util.jar.Manifest;
 
+import sun.security.action.GetIntegerAction;
 import sun.security.jca.Providers;
 import sun.security.pkcs.PKCS7;
 import sun.security.pkcs.SignerInfo;
@@ -83,6 +84,12 @@ public class SignatureFileVerifier {
 
     private static final String META_INF = "META-INF/";
 
+    // the maximum allowed size in bytes for the signature-related files
+    public static final int MAX_SIG_FILE_SIZE = initializeMaxSigFileSize();
+
+    // The maximum size of array to allocate. Some VMs reserve some header words in an array.
+    private static final int MAX_ARRAY_SIZE = Integer.MAX_VALUE - 8;
+
     /**
      * Create the named SignatureFileVerifier.
      *
@@ -833,4 +840,24 @@ public class SignatureFileVerifier {
         signerCache.add(cachedSigners);
         signers.put(name, cachedSigners);
     }
+
+    private static int initializeMaxSigFileSize() {
+        /*
+         * System property "jdk.jar.maxSignatureFileSize" used to configure
+         * the maximum allowed number of bytes for the signature-related files
+         * in a JAR file.
+         */
+        Integer tmp = GetIntegerAction.privilegedGetProperty(
+                "jdk.jar.maxSignatureFileSize", 8000000);
+        if (tmp < 0 || tmp > MAX_ARRAY_SIZE) {
+            if (debug != null) {
+                debug.println("Default signature file size 8000000 bytes " +
+                        "is used as the specified size for the " +
+                        "jdk.jar.maxSignatureFileSize system property " +
+                        "is out of range: " + tmp);
+            }
+            tmp = 8000000;
+        }
+        return tmp;
+    }
 }