From b051a23591c41c16d1368b78e00fcf4df14f3db8 Mon Sep 17 00:00:00 2001 From: Jon Masamitsu Date: Tue, 24 Feb 2009 22:12:24 -0800 Subject: [PATCH] 6806226: Signed integer overflow in growable array code causes JVM crash Workaround the overflow by doing the intermediate calculations in an unsigned variable. Reviewed-by: ysr, jcoomes --- hotspot/src/share/vm/utilities/growableArray.cpp | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/hotspot/src/share/vm/utilities/growableArray.cpp b/hotspot/src/share/vm/utilities/growableArray.cpp index eeb259c5317..8ad410249b4 100644 --- a/hotspot/src/share/vm/utilities/growableArray.cpp +++ b/hotspot/src/share/vm/utilities/growableArray.cpp @@ -43,11 +43,13 @@ void GenericGrowableArray::check_nesting() { #endif void* GenericGrowableArray::raw_allocate(int elementSize) { + assert(_max >= 0, "integer overflow"); + size_t byte_size = elementSize * (size_t) _max; if (on_stack()) { - return (void*)resource_allocate_bytes(elementSize * _max); + return (void*)resource_allocate_bytes(byte_size); } else if (on_C_heap()) { - return (void*)AllocateHeap(elementSize * _max, "GrET in " __FILE__); + return (void*)AllocateHeap(byte_size, "GrET in " __FILE__); } else { - return _arena->Amalloc(elementSize * _max); + return _arena->Amalloc(byte_size); } }