From 9088dcdb4a2b62405a1403a747f8834ea725ee8f Mon Sep 17 00:00:00 2001
From: Ivan Gerasimov <igerasim@openjdk.org>
Date: Thu, 11 Aug 2016 17:03:40 +0300
Subject: [PATCH] 8163518: Integer overflow in StringBufferInputStream.read()
 and CharArrayReader.read/skip()

Reviewed-by: rriggs, shade
---
 .../classes/java/io/CharArrayReader.java      | 12 +++--
 .../java/io/StringBufferInputStream.java      |  6 ++-
 .../io/CharArrayReader/OverflowInRead.java    | 50 ++++++++++++++++++
 .../io/CharArrayReader/OverflowInSkip.java    | 51 +++++++++++++++++++
 .../OverflowInRead.java                       | 49 ++++++++++++++++++
 5 files changed, 162 insertions(+), 6 deletions(-)
 create mode 100644 jdk/test/java/io/CharArrayReader/OverflowInRead.java
 create mode 100644 jdk/test/java/io/CharArrayReader/OverflowInSkip.java
 create mode 100644 jdk/test/java/io/StringBufferInputStream/OverflowInRead.java

diff --git a/jdk/src/java.base/share/classes/java/io/CharArrayReader.java b/jdk/src/java.base/share/classes/java/io/CharArrayReader.java
index 3ff8291df21..08b13811d35 100644
--- a/jdk/src/java.base/share/classes/java/io/CharArrayReader.java
+++ b/jdk/src/java.base/share/classes/java/io/CharArrayReader.java
@@ -131,8 +131,10 @@ public class CharArrayReader extends Reader {
             if (pos >= count) {
                 return -1;
             }
-            if (pos + len > count) {
-                len = count - pos;
+
+            int avail = count - pos;
+            if (len > avail) {
+                len = avail;
             }
             if (len <= 0) {
                 return 0;
@@ -158,8 +160,10 @@ public class CharArrayReader extends Reader {
     public long skip(long n) throws IOException {
         synchronized (lock) {
             ensureOpen();
-            if (pos + n > count) {
-                n = count - pos;
+
+            long avail = count - pos;
+            if (n > avail) {
+                n = avail;
             }
             if (n < 0) {
                 return 0;
diff --git a/jdk/src/java.base/share/classes/java/io/StringBufferInputStream.java b/jdk/src/java.base/share/classes/java/io/StringBufferInputStream.java
index 3e64f78f6a4..787cbb9c45e 100644
--- a/jdk/src/java.base/share/classes/java/io/StringBufferInputStream.java
+++ b/jdk/src/java.base/share/classes/java/io/StringBufferInputStream.java
@@ -118,8 +118,10 @@ class StringBufferInputStream extends InputStream {
         if (pos >= count) {
             return -1;
         }
-        if (pos + len > count) {
-            len = count - pos;
+
+        int avail = count - pos;
+        if (len > avail) {
+            len = avail;
         }
         if (len <= 0) {
             return 0;
diff --git a/jdk/test/java/io/CharArrayReader/OverflowInRead.java b/jdk/test/java/io/CharArrayReader/OverflowInRead.java
new file mode 100644
index 00000000000..8250ea4bd1a
--- /dev/null
+++ b/jdk/test/java/io/CharArrayReader/OverflowInRead.java
@@ -0,0 +1,50 @@
+/*
+ * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/* @test
+ * @bug 8163518
+ * @summary Integer overflow when reading in large buffer
+ * @requires (os.simpleArch == "x64" & os.maxMemory > 8g)
+ * @run main/othervm -Xmx8g OverflowInRead
+ */
+
+import java.io.CharArrayReader;
+
+public class OverflowInRead {
+    public static void main(String[] args) throws Exception {
+        char[] a = "_123456789_123456789_123456789_123456789"
+                .toCharArray(); // a.length > 33
+        try (CharArrayReader car = new CharArrayReader(a)) {
+            int len1 = 33;
+            char[] buf1 = new char[len1];
+            if (car.read(buf1, 0, len1) != len1)
+                throw new Exception("Expected to read " + len1 + " chars");
+
+            int len2 = Integer.MAX_VALUE - 32;
+            char[] buf2 = new char[len2];
+            int expLen2 = a.length - len1;
+            if (car.read(buf2, 0, len2) != expLen2)
+                throw new Exception("Expected to read " + expLen2 + " chars");
+        }
+    }
+}
diff --git a/jdk/test/java/io/CharArrayReader/OverflowInSkip.java b/jdk/test/java/io/CharArrayReader/OverflowInSkip.java
new file mode 100644
index 00000000000..94c04a085d9
--- /dev/null
+++ b/jdk/test/java/io/CharArrayReader/OverflowInSkip.java
@@ -0,0 +1,51 @@
+/*
+ * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/* @test
+ * @bug 8163518
+ * @summary Integer overflow when skipping a lot
+ */
+
+import java.io.CharArrayReader;
+
+public class OverflowInSkip {
+    public static void main(String[] args) throws Exception {
+        char[] a = "_123456789_123456789_123456789_123456789"
+                .toCharArray(); // a.length > 33
+        try (CharArrayReader car = new CharArrayReader(a)) {
+            long small = 33;
+            long big = Long.MAX_VALUE;
+
+            long smallSkip = car.skip(small);
+            if (smallSkip != small)
+                throw new Exception("Expected to skip " + small
+                        + " chars, but skipped " + smallSkip);
+
+            long expSkip = a.length - small;
+            long bigSkip = car.skip(big);
+            if (bigSkip != expSkip)
+                throw new Exception("Expected to skip " + expSkip
+                        + " chars, but skipped " + bigSkip);
+        }
+    }
+}
diff --git a/jdk/test/java/io/StringBufferInputStream/OverflowInRead.java b/jdk/test/java/io/StringBufferInputStream/OverflowInRead.java
new file mode 100644
index 00000000000..bb3c381af81
--- /dev/null
+++ b/jdk/test/java/io/StringBufferInputStream/OverflowInRead.java
@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/* @test
+ * @bug 8163518
+ * @summary Integer overflow when reading in large buffer
+ * @requires (os.simpleArch == "x64" & os.maxMemory > 4g)
+ * @run main/othervm -Xmx4g OverflowInRead
+ */
+
+import java.io.StringBufferInputStream;
+
+public class OverflowInRead {
+    public static void main(String[] args) throws Exception {
+        String s = "_123456789_123456789_123456789_123456789"; // s.length() > 33
+        try (StringBufferInputStream sbis = new StringBufferInputStream(s)) {
+            int len1 = 33;
+            byte[] buf1 = new byte[len1];
+            if (sbis.read(buf1, 0, len1) != len1)
+                throw new Exception("Expected to read " + len1 + " bytes");
+
+            int len2 = Integer.MAX_VALUE - 32;
+            byte[] buf2 = new byte[len2];
+            int expLen2 = s.length() - len1;
+            if (sbis.read(buf2, 0, len2) != expLen2)
+                throw new Exception("Expected to read " + expLen2 + " bytes");
+        }
+    }
+}