Merge

Reviewed-by: kcr, prr

Author: Brent Christian

src/hotspot/share/classfile/stackMapTable.cpp

@@ -132,8 +132,16 @@ bool StackMapTable::match_stackmap(
 }
 
 void StackMapTable::check_jump_target(
-    StackMapFrame* frame, int32_t target, TRAPS) const {
+    StackMapFrame* frame, int bci, int offset, TRAPS) const {
   ErrorContext ctx;
+  // Jump targets must be within the method and the method size is limited. See JVMS 4.11
+  int min_offset = -1 * max_method_code_size;
+  if (offset < min_offset || offset > max_method_code_size) {
+    frame->verifier()->verify_error(ErrorContext::bad_stackmap(bci, frame),
+        "Illegal target of jump or branch (bci %d + offset %d)", bci, offset);
+    return;
+  }
+  int target = bci + offset;
   bool match = match_stackmap(
     frame, target, true, false, &ctx, CHECK_VERIFY(frame->verifier()));
   if (!match || (target < 0 || target >= _code_length)) {

src/hotspot/share/classfile/stackMapTable.hpp

@@ -67,7 +67,7 @@ class StackMapTable : public StackObj {
 
   // Check jump instructions. Make sure there are no uninitialized
   // instances on backward branch.
-  void check_jump_target(StackMapFrame* frame, int32_t target, TRAPS) const;
+  void check_jump_target(StackMapFrame* frame, int bci, int offset, TRAPS) const;
 
   // The following methods are only used inside this class.
 

src/hotspot/share/classfile/verifier.cpp

@@ -781,7 +781,6 @@ void ClassVerifier::verify_method(const methodHandle& m, TRAPS) {
 
     // Merge with the next instruction
     {
-      int target;
       VerificationType type, type2;
       VerificationType atype;
 
@@ -1606,9 +1605,8 @@ void ClassVerifier::verify_method(const methodHandle& m, TRAPS) {
         case Bytecodes::_ifle:
           current_frame.pop_stack(
             VerificationType::integer_type(), CHECK_VERIFY(this));
-          target = bcs.dest();
           stackmap_table.check_jump_target(
-            &current_frame, target, CHECK_VERIFY(this));
+            &current_frame, bcs.bci(), bcs.get_offset_s2(), CHECK_VERIFY(this));
           no_control_flow = false; break;
         case Bytecodes::_if_acmpeq :
         case Bytecodes::_if_acmpne :
@@ -1619,19 +1617,16 @@ void ClassVerifier::verify_method(const methodHandle& m, TRAPS) {
         case Bytecodes::_ifnonnull :
           current_frame.pop_stack(
             VerificationType::reference_check(), CHECK_VERIFY(this));
-          target = bcs.dest();
           stackmap_table.check_jump_target
-            (&current_frame, target, CHECK_VERIFY(this));
+            (&current_frame, bcs.bci(), bcs.get_offset_s2(), CHECK_VERIFY(this));
           no_control_flow = false; break;
         case Bytecodes::_goto :
-          target = bcs.dest();
           stackmap_table.check_jump_target(
-            &current_frame, target, CHECK_VERIFY(this));
+            &current_frame, bcs.bci(), bcs.get_offset_s2(), CHECK_VERIFY(this));
           no_control_flow = true; break;
         case Bytecodes::_goto_w :
-          target = bcs.dest_w();
           stackmap_table.check_jump_target(
-            &current_frame, target, CHECK_VERIFY(this));
+            &current_frame, bcs.bci(), bcs.get_offset_s4(), CHECK_VERIFY(this));
           no_control_flow = true; break;
         case Bytecodes::_tableswitch :
         case Bytecodes::_lookupswitch :
@@ -2280,15 +2275,14 @@ void ClassVerifier::verify_switch(
       }
     }
   }
-  int target = bci + default_offset;
-  stackmap_table->check_jump_target(current_frame, target, CHECK_VERIFY(this));
+  stackmap_table->check_jump_target(current_frame, bci, default_offset, CHECK_VERIFY(this));
   for (int i = 0; i < keys; i++) {
     // Because check_jump_target() may safepoint, the bytecode could have
     // moved, which means 'aligned_bcp' is no good and needs to be recalculated.
     aligned_bcp = align_up(bcs->bcp() + 1, jintSize);
-    target = bci + (jint)Bytes::get_Java_u4(aligned_bcp+(3+i*delta)*jintSize);
+    int offset = (jint)Bytes::get_Java_u4(aligned_bcp+(3+i*delta)*jintSize);
     stackmap_table->check_jump_target(
-      current_frame, target, CHECK_VERIFY(this));
+      current_frame, bci, offset, CHECK_VERIFY(this));
   }
   NOT_PRODUCT(aligned_bcp = nullptr);  // no longer valid at this point
 }

src/hotspot/share/interpreter/bytecodeStream.hpp

@@ -100,8 +100,23 @@ class BaseBytecodeStream: StackObj {
   void            set_next_bci(int bci)          { assert(0 <= bci && bci <= method()->code_size(), "illegal bci"); _next_bci = bci; }
 
   // Bytecode-specific attributes
-  int             dest() const                   { return bci() + bytecode().get_offset_s2(raw_code()); }
-  int             dest_w() const                 { return bci() + bytecode().get_offset_s4(raw_code()); }
+  int get_offset_s2() const { return bytecode().get_offset_s2(raw_code()); }
+  int get_offset_s4() const { return bytecode().get_offset_s4(raw_code()); }
+
+  // These methods are not safe to use before or during verification as they may
+  // have large offsets and cause overflows
+  int dest() const {
+    int min_offset = -1 * max_method_code_size;
+    int offset = bytecode().get_offset_s2(raw_code());
+    guarantee(offset >= min_offset && offset <= max_method_code_size, "must be");
+    return bci() + offset;
+  }
+  int dest_w() const {
+    int min_offset = -1 * max_method_code_size;
+    int offset = bytecode().get_offset_s4(raw_code());
+    guarantee(offset >= min_offset && offset <= max_method_code_size, "must be");
+    return bci() + offset;
+  }
 
   // One-byte indices.
   u1              get_index_u1() const           { assert_raw_index_size(1); return *(jubyte*)(bcp()+1); }

src/java.base/share/classes/java/lang/AbstractStringBuilder.java

@@ -1448,8 +1448,8 @@ public AbstractStringBuilder insert(int dstOffset, CharSequence s,
         shift(currValue, coder, count, dstOffset, len);
         count += len;
         // Coder of CharSequence may be a mismatch, requiring the value array to be inflated
-        byte[] newValue = (s instanceof String str)
-            ? putStringAt(currValue, coder, count, dstOffset, str, start, end)
+        byte[] newValue = (s instanceof String str && str.length() == len)
+            ? putStringAt(currValue, coder, count, dstOffset, str)
             : putCharsAt(currValue, coder, count, dstOffset, s, start, end);
         if (currValue != newValue) {
             this.coder = UTF16;
@@ -1928,10 +1928,10 @@ private static byte[] inflateIfNeededFor(byte[] value, int count, byte coder, by
      * @param index the index to insert the string
      * @param str the string
      */
-     private static byte[] putStringAt(byte[] value, byte coder, int count, int index, String str, int off, int end) {
+     private static byte[] putStringAt(byte[] value, byte coder, int count, int index, String str) {
         byte[] newValue = inflateIfNeededFor(value, count, coder, str.coder());
         coder = (newValue == value) ? coder : UTF16;
-        str.getBytes(newValue, off, index, coder, end - off);
+        str.getBytes(newValue, 0, index, coder, str.length());
         return newValue;
     }
 

src/java.base/share/classes/sun/security/util/DerValue.java

@@ -859,6 +859,22 @@ public String getUniversalString() throws IOException {
         return readStringInternal(tag_UniversalString, new UTF_32BE());
     }
 
+    /**
+     * Checks that the BMPString does not contain any surrogate characters,
+     * which are outside the Basic Multilingual Plane.
+     *
+     * @throws IOException if illegal characters are detected
+     */
+    public void validateBMPString() throws IOException {
+        String bmpString = getBMPString();
+        for (int i = 0; i < bmpString.length(); i++) {
+            if (Character.isSurrogate(bmpString.charAt(i))) {
+                throw new IOException(
+                    "Illegal character in BMPString, index: " + i);
+            }
+         }
+     }
+
     /**
      * Reads the ASN.1 NULL value
      */

src/java.base/share/classes/sun/security/x509/AVA.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2024, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -28,10 +28,13 @@
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.Reader;
+import java.nio.charset.Charset;
 import java.text.Normalizer;
 import java.util.*;
 
+import static java.nio.charset.StandardCharsets.ISO_8859_1;
 import static java.nio.charset.StandardCharsets.UTF_8;
+import static java.nio.charset.StandardCharsets.UTF_16BE;
 
 import sun.security.util.*;
 import sun.security.pkcs.PKCS9Attribute;
@@ -589,6 +592,10 @@ private static boolean trailingSpace(Reader in) throws IOException {
             throw new IOException("AVA, extra bytes = "
                 + derval.data.available());
         }
+
+        if (value.tag == DerValue.tag_BMPString) {
+            value.validateBMPString();
+        }
     }
 
     AVA(DerInputStream in) throws IOException {
@@ -713,7 +720,8 @@ public String toRFC2253String(Map<String, String> oidMap) {
              * NOTE: this implementation only emits DirectoryStrings of the
              * types returned by isDerString().
              */
-            String valStr = new String(value.getDataBytes(), UTF_8);
+            String valStr =
+                new String(value.getDataBytes(), getCharset(value, false));
 
             /*
              * 2.4 (cont): If the UTF-8 string does not have any of the
@@ -832,7 +840,8 @@ public String toRFC2253CanonicalString() {
              * NOTE: this implementation only emits DirectoryStrings of the
              * types returned by isDerString().
              */
-            String valStr = new String(value.getDataBytes(), UTF_8);
+            String valStr =
+                new String(value.getDataBytes(), getCharset(value, true));
 
             /*
              * 2.4 (cont): If the UTF-8 string does not have any of the
@@ -927,6 +936,39 @@ private static boolean isDerString(DerValue value, boolean canonical) {
         }
     }
 
+    /*
+     * Returns the charset that should be used to decode each DN string type.
+     *
+     * This method ensures that multi-byte (UTF8String and BMPString) types
+     * are decoded using the correct charset and the String forms represent
+     * the correct characters. For 8-bit ASCII-based types (PrintableString
+     * and IA5String), we return ISO_8859_1 rather than ASCII, so that the
+     * complete range of characters can be represented, as many certificates
+     * do not comply with the Internationalized Domain Name ACE format.
+     *
+     * NOTE: this method only supports DirectoryStrings of the types returned
+     * by isDerString().
+     */
+    private static Charset getCharset(DerValue value, boolean canonical) {
+        if (canonical) {
+            return switch (value.tag) {
+                case DerValue.tag_PrintableString -> ISO_8859_1;
+                case DerValue.tag_UTF8String -> UTF_8;
+                default -> throw new Error("unexpected tag: " + value.tag);
+            };
+        }
+
+        return switch (value.tag) {
+            case DerValue.tag_PrintableString,
+                 DerValue.tag_T61String,
+                 DerValue.tag_IA5String,
+                 DerValue.tag_GeneralString -> ISO_8859_1;
+            case DerValue.tag_BMPString -> UTF_16BE;
+            case DerValue.tag_UTF8String -> UTF_8;
+            default -> throw new Error("unexpected tag: " + value.tag);
+        };
+    }
+
     boolean hasRFC2253Keyword() {
         return AVAKeyword.hasKeyword(oid, RFC2253);
     }

src/java.base/share/native/libverify/check_code.c

@@ -395,7 +395,8 @@ static jboolean is_superclass(context_type *, fullinfo_type);
 
 static void initialize_exception_table(context_type *);
 static int instruction_length(unsigned char *iptr, unsigned char *end);
-static jboolean isLegalTarget(context_type *, int offset);
+static jboolean isLegalOffset(context_type *, int bci, int offset);
+static jboolean isLegalTarget(context_type *, int target);
 static void verify_constant_pool_type(context_type *, int, unsigned);
 
 static void initialize_dataflow(context_type *);
@@ -1154,9 +1155,9 @@ verify_opcode_operands(context_type *context, unsigned int inumber, int offset)
     case JVM_OPC_goto: {
         /* Set the ->operand to be the instruction number of the target. */
         int jump = (((signed char)(code[offset+1])) << 8) + code[offset+2];
-        int target = offset + jump;
-        if (!isLegalTarget(context, target))
+        if (!isLegalOffset(context, offset, jump))
             CCerror(context, "Illegal target of jump or branch");
+        int target = offset + jump;
         this_idata->operand.i = code_data[target];
         break;
     }
@@ -1170,9 +1171,9 @@ verify_opcode_operands(context_type *context, unsigned int inumber, int offset)
         int jump = (((signed char)(code[offset+1])) << 24) +
                      (code[offset+2] << 16) + (code[offset+3] << 8) +
                      (code[offset + 4]);
-        int target = offset + jump;
-        if (!isLegalTarget(context, target))
+        if (!isLegalOffset(context, offset, jump))
             CCerror(context, "Illegal target of jump or branch");
+        int target = offset + jump;
         this_idata->operand.i = code_data[target];
         break;
     }
@@ -1211,13 +1212,16 @@ verify_opcode_operands(context_type *context, unsigned int inumber, int offset)
             }
         }
         saved_operand = NEW(int, keys + 2);
-        if (!isLegalTarget(context, offset + _ck_ntohl(lpc[0])))
+        int jump = _ck_ntohl(lpc[0]);
+        if (!isLegalOffset(context, offset, jump))
             CCerror(context, "Illegal default target in switch");
-        saved_operand[keys + 1] = code_data[offset + _ck_ntohl(lpc[0])];
+        int target = offset + jump;
+        saved_operand[keys + 1] = code_data[target];
         for (k = keys, lptr = &lpc[3]; --k >= 0; lptr += delta) {
-            int target = offset + _ck_ntohl(lptr[0]);
-            if (!isLegalTarget(context, target))
+            jump = _ck_ntohl(lptr[0]);
+            if (!isLegalOffset(context, offset, jump))
                 CCerror(context, "Illegal branch in tableswitch");
+            target = offset + jump;
             saved_operand[k + 1] = code_data[target];
         }
         saved_operand[0] = keys + 1; /* number of successors */
@@ -1746,11 +1750,24 @@ static int instruction_length(unsigned char *iptr, unsigned char *end)
 
 /* Given the target of a branch, make sure that it's a legal target. */
 static jboolean
-isLegalTarget(context_type *context, int offset)
+isLegalTarget(context_type *context, int target)
+{
+    int code_length = context->code_length;
+    int *code_data = context->code_data;
+    return (target >= 0 && target < code_length && code_data[target] >= 0);
+}
+
+/* Given a bci and offset, make sure the offset is valid and the target is legal */
+static jboolean
+isLegalOffset(context_type *context, int bci, int offset)
 {
     int code_length = context->code_length;
     int *code_data = context->code_data;
-    return (offset >= 0 && offset < code_length && code_data[offset] >= 0);
+    int max_offset = 65535; // JVMS 4.11
+    int min_offset = -65535;
+    if (offset < min_offset || offset > max_offset) return JNI_FALSE;
+    int target = bci + offset;
+    return (target >= 0 && target < code_length && code_data[target] >= 0);
 }
 
 

src/java.xml/share/classes/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderFactoryImpl.java

@@ -41,7 +41,7 @@
 /**
  * @author Rajiv Mordani
  * @author Edwin Goei
- * @LastModified: May 2025
+ * @LastModified: June 2025
  */
 public class DocumentBuilderFactoryImpl extends DocumentBuilderFactory {
     /** These are DocumentBuilderFactory attributes not DOM attributes */
@@ -59,11 +59,24 @@ public class DocumentBuilderFactoryImpl extends DocumentBuilderFactory {
     XMLSecurityManager fSecurityManager;
     XMLSecurityPropertyManager fSecurityPropertyMgr;
 
+    /**
+     * Creates a new {@code DocumentBuilderFactory} instance.
+     */
     public DocumentBuilderFactoryImpl() {
+        this(null, null);
+    }
+
+    /**
+     * Creates a new {@code DocumentBuilderFactory} instance with a {@code XMLSecurityManager}
+     * and {@code XMLSecurityPropertyManager}.
+     * @param xsm the {@code XMLSecurityManager}
+     * @param xspm the {@code XMLSecurityPropertyManager}
+     */
+    public DocumentBuilderFactoryImpl(XMLSecurityManager xsm, XMLSecurityPropertyManager xspm) {
         JdkXmlConfig config = JdkXmlConfig.getInstance(false);
         // security (property) managers updated with current system properties
-        fSecurityManager = config.getXMLSecurityManager(true);
-        fSecurityPropertyMgr = config.getXMLSecurityPropertyManager(true);
+        fSecurityManager = (xsm == null) ? config.getXMLSecurityManager(true) : xsm;
+        fSecurityPropertyMgr = (xspm == null) ? config.getXMLSecurityPropertyManager(true) : xspm;
     }
 
     /**