8214444: Wrong strncat limits in dfa.cpp

Reviewed-by: kvn
2018-12-03 14:28:19 +03:00 · 2018-12-03 14:28:19 +03:00 · a971050bff
commit a971050bff
parent 835c863ba8
2 changed files with 20 additions and 15 deletions
--- a/src/hotspot/share/adlc/adlc.hpp
+++ b/src/hotspot/share/adlc/adlc.hpp
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2018, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -50,6 +50,10 @@ using namespace std;
 #define strdup _strdup
 #endif

+#if _MSC_VER < 1900
+#define snprintf _snprintf
+#endif
+
 #ifndef _INTPTR_T_DEFINED
 #ifdef _WIN64
 typedef __int64 intptr_t;
--- a/src/hotspot/share/adlc/dfa.cpp
+++ b/src/hotspot/share/adlc/dfa.cpp
@ -719,21 +719,21 @@ const char *Expr::compute_external(const Expr *c1, const Expr *c2) {

  // Preserve use of external name which has a zero value
  if( c1->_external_name != NULL ) {
-    sprintf(string_buffer, "%s", c1->as_string());
-    if( !c2->is_zero() ) {
-      strncat(string_buffer, "+", STRING_BUFFER_LENGTH);
-      strncat(string_buffer, c2->as_string(), STRING_BUFFER_LENGTH);
+    if( c2->is_zero() ) {
+      snprintf(string_buffer, STRING_BUFFER_LENGTH, "%s", c1->as_string());
+    } else {
+      snprintf(string_buffer, STRING_BUFFER_LENGTH, "%s+%s", c1->as_string(), c2->as_string());
    }
+    string_buffer[STRING_BUFFER_LENGTH - 1] = '\0';
    result = strdup(string_buffer);
  }
  else if( c2->_external_name != NULL ) {
-    if( !c1->is_zero() ) {
-      sprintf(string_buffer, "%s", c1->as_string());
-      strncat(string_buffer, " + ", STRING_BUFFER_LENGTH);
+    if( c1->is_zero() ) {
+      snprintf(string_buffer, STRING_BUFFER_LENGTH, "%s", c2->_external_name);
    } else {
-      string_buffer[0] = '\0';
+      snprintf(string_buffer, STRING_BUFFER_LENGTH, "%s + %s", c1->as_string(), c2->as_string());
    }
-    strncat(string_buffer, c2->_external_name, STRING_BUFFER_LENGTH);
+    string_buffer[STRING_BUFFER_LENGTH - 1] = '\0';
    result = strdup(string_buffer);
  }
  return result;
@ -741,18 +741,19 @@ const char *Expr::compute_external(const Expr *c1, const Expr *c2) {

 const char *Expr::compute_expr(const Expr *c1, const Expr *c2) {
  if( !c1->is_zero() ) {
-    sprintf( string_buffer, "%s", c1->_expr);
-    if( !c2->is_zero() ) {
-      strncat(string_buffer, "+", STRING_BUFFER_LENGTH);
-      strncat(string_buffer, c2->_expr, STRING_BUFFER_LENGTH);
+    if( c2->is_zero() ) {
+      snprintf(string_buffer, STRING_BUFFER_LENGTH, "%s", c1->_expr);
+    } else {
+      snprintf(string_buffer, STRING_BUFFER_LENGTH, "%s+%s", c1->_expr, c2->_expr);
    }
  }
  else if( !c2->is_zero() ) {
-    sprintf( string_buffer, "%s", c2->_expr);
+    snprintf(string_buffer, STRING_BUFFER_LENGTH, "%s", c2->_expr);
  }
  else {
    sprintf( string_buffer, "0");
  }
+  string_buffer[STRING_BUFFER_LENGTH - 1] = '\0';
  char *cost = strdup(string_buffer);

  return cost;