Skip to content

Commit

Permalink
Patch for multiple integer overflows (CVE-2020-17360) and silent retu…
Browse files Browse the repository at this point in the history 
…rn on negative length (CVE-2020-17361)
  • Loading branch information
@polivar3 @dicej
polivar3 authored and dicej committed Aug 10, 2020
1 parent 8880b55 commit 4d21449
Showing 1 changed file with 5 additions and 2 deletions.
7 changes: 5 additions & 2 deletions src/avian/classpath-common.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,8 +81,8 @@ void arrayCopy(Thread* t,
intptr_t sl = fieldAtOffset<uintptr_t>(src, BytesPerWord);
intptr_t dl = fieldAtOffset<uintptr_t>(dst, BytesPerWord);
if (LIKELY(length > 0)) {
if (LIKELY(srcOffset >= 0 and srcOffset + length <= sl
and dstOffset >= 0 and dstOffset + length <= dl)) {
if (LIKELY(srcOffset >= 0 and srcOffset + length > srcOffset and srcOffset + length <= sl
and dstOffset >= 0 and dstOffset + length > dstOffset and dstOffset + length <= dl)) {
uint8_t* sbody = &fieldAtOffset<uint8_t>(src, ArrayBody);
uint8_t* dbody = &fieldAtOffset<uint8_t>(dst, ArrayBody);
if (src == dst) {
Expand All @@ -103,6 +103,9 @@ void arrayCopy(Thread* t,
} else {
throwNew(t, GcIndexOutOfBoundsException::Type);
}
} else if (LIKELY(length < 0)) {
throwNew(t, GcNegativeArraySizeException::Type, "%d", length);
return;
} else {
return;
}
Expand Down

0 comments on commit 4d21449

Please sign in to comment.