8152207: Perform array bound checks while getting a length of bytecode instructions

martinuy · martinuy · commit d4adbe339c3d · 2024-08-13T14:58:08.000Z
Reviewed-by: sgehwolf, phh
Backport-of: 68c8a74fbe25918ec50711ce10eff65afcc73b93
diff --git a/hotspot/src/share/vm/interpreter/bytecodes.hpp b/hotspot/src/share/vm/interpreter/bytecodes.hpp
@@ -394,15 +394,16 @@ class Bytecodes: AllStatic {
   static Code       non_breakpoint_code_at(const Method* method, address bcp);
 
   // Bytecode attributes
-  static bool        is_defined     (int  code)    { return 0 <= code && code < number_of_codes && flags(code, false) != 0; }
+  static bool        is_valid       (int  code)    { return 0 <= code && code < number_of_codes; }
+  static bool        is_defined     (int  code)    { return is_valid(code) && flags(code, false) != 0; }
   static bool        wide_is_defined(int  code)    { return is_defined(code) && flags(code, true) != 0; }
   static const char* name           (Code code)    { check(code);      return _name          [code]; }
   static BasicType   result_type    (Code code)    { check(code);      return _result_type   [code]; }
   static int         depth          (Code code)    { check(code);      return _depth         [code]; }
   // Note: Length functions must return <=0 for invalid bytecodes.
   // Calling check(code) in length functions would throw an unwanted assert.
-  static int         length_for     (Code code)    { /*no check*/      return _lengths       [code] & 0xF; }
-  static int         wide_length_for(Code code)    { /*no check*/      return _lengths       [code] >> 4; }
+  static int         length_for     (Code code)    { return is_valid(code) ? _lengths[code] & 0xF : -1; }
+  static int         wide_length_for(Code code)    { return is_valid(code) ? _lengths[code]  >> 4 : -1; }
   static bool        can_trap       (Code code)    { check(code);      return has_all_flags(code, _bc_can_trap, false); }
   static Code        java_code      (Code code)    { check(code);      return _java_code     [code]; }
   static bool        can_rewrite    (Code code)    { check(code);      return has_all_flags(code, _bc_can_rewrite, false); }
diff --git a/jdk/src/share/native/common/check_code.c b/jdk/src/share/native/common/check_code.c
@@ -1731,9 +1731,14 @@ static int instruction_length(unsigned char *iptr, unsigned char *end)
             }
 
         default: {
+            if (instruction < 0 || instruction > JVM_OPC_MAX)
+                return -1;
+
             /* A length of 0 indicates an error. */
-            int length = opcode_length[instruction];
-            return (length <= 0) ? -1 : length;
+            if (opcode_length[instruction] <= 0)
+                return -1;
+
+            return opcode_length[instruction];
         }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -1731,9 +1731,14 @@ static int instruction_length(unsigned char iptr, unsigned char end)`
`1731`	`1731`	`}`
`1732`	`1732`
`1733`	`1733`	`default: {`
	`1734`	`+ if (instruction < 0 \|\| instruction > JVM_OPC_MAX)`
	`1735`	`+ return -1;`
	`1736`	`+`
`1734`	`1737`	`/* A length of 0 indicates an error. */`
`1735`		`- int length = opcode_length[instruction];`
`1736`		`- return (length <= 0) ? -1 : length;`
	`1738`	`+ if (opcode_length[instruction] <= 0)`
	`1739`	`+ return -1;`
	`1740`	`+`
	`1741`	`+ return opcode_length[instruction];`
`1737`	`1742`	`}`
`1738`	`1743`	`}`
`1739`	`1744`	`}`