From: Pavel Rebriy Subject: [PATCH] Verifier: parameters and dimensions limit checks fix - Adds check the number of dimensions in an array is limited to 255. - Adds check the number of method parameters is limited to 255. --- vm/vmcore/src/verifier/Verifier.cpp | 23 +++++++++++++++++++++++ vm/vmcore/src/verifier/ver_utils.cpp | 2 +- 2 files changed, 24 insertions(+), 1 deletions(-) b7eab86a9e62a9f5009d4a3558956a1025331cef diff --git a/vm/vmcore/src/verifier/Verifier.cpp b/vm/vmcore/src/verifier/Verifier.cpp index 5ca4f41..bc66bf2 100644 --- a/vm/vmcore/src/verifier/Verifier.cpp +++ b/vm/vmcore/src/verifier/Verifier.cpp @@ -3610,6 +3610,14 @@ vf_opcode_invoke( vf_Code_t *code, << ") Must call initializers using invokespecial" ); return VER_ErrorConstantPool; } + // check number of arguments + if( cp_parse.method.m_inlen > 255 ) { + VERIFY_REPORT( ctex, "(class: " << class_get_name( ctex->m_class ) + << ", method: " << method_get_name( ctex->m_method ) + << method_get_descriptor( ctex->m_method ) + << ") The number of method parameters is limited to 255" ); + return VER_ErrorInstruction; + } // set stack modifier for instruction vf_set_stack_modifier( code, cp_parse.method.m_outlen - cp_parse.method.m_inlen ); // set minimal stack for instruction @@ -3645,6 +3653,14 @@ vf_opcode_invokespecial( vf_Code_t *code if( result != VER_OK ) { return result; } + // check number of arguments + if( cp_parse.method.m_inlen > 255 ) { + VERIFY_REPORT( ctex, "(class: " << class_get_name( ctex->m_class ) + << ", method: " << method_get_name( ctex->m_method ) + << method_get_descriptor( ctex->m_method ) + << ") The number of method parameters is limited to 255" ); + return VER_ErrorInstruction; + } // set stack modifier for instruction vf_set_stack_modifier( code, cp_parse.method.m_outlen - cp_parse.method.m_inlen ); // set minimal stack for instruction @@ -4005,6 +4021,13 @@ vf_opcode_multianewarray( vf_Code_t *cod for( index = 0; array[index] == '['; index++ ) { continue; } + if( index > 255 ) { + VERIFY_REPORT( ctex, "(class: " << class_get_name( ctex->m_class ) + << ", method: " << method_get_name( ctex->m_method ) + << method_get_descriptor( ctex->m_method ) + << ") Array with too many dimensions" ); + return VER_ErrorInstruction; + } if( dimension == 0 || index < dimension ) { VERIFY_REPORT( ctex, "(class: " << class_get_name( ctex->m_class ) << ", method: " << method_get_name( ctex->m_method ) diff --git a/vm/vmcore/src/verifier/ver_utils.cpp b/vm/vmcore/src/verifier/ver_utils.cpp index e0e5faa..62febb9 100644 --- a/vm/vmcore/src/verifier/ver_utils.cpp +++ b/vm/vmcore/src/verifier/ver_utils.cpp @@ -1225,7 +1225,7 @@ vf_check_access_constraint( const char * // get instance class class_handler instance = vf_resolve_class( instance_name, false, ctex ); if( !instance ) { - // inctance class isn't loaded + // instance class isn't loaded return VER_ClassNotLoaded; } -- 1.3.3