Fix utf8 range check in SCC

The existing check dereferences the utf8 before ensuring that the header is in the SCC. This causes a segfault when the header is not in the SCC. Signed-off-by: Tobi Ajila <atobia@ca.ibm.com>
eclipse-openj9 · Dec 16, 2020 · 49ee6b5 · 49ee6b5
1 parent 5cbd27b
commit 49ee6b5
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/runtime/bcutil/ComparingCursor.cpp b/runtime/bcutil/ComparingCursor.cpp
@@ -539,9 +539,17 @@ bool
 ComparingCursor::isRangeValidForUTF8Ptr(J9UTF8 *utf8)
 {
 	U_8 *ptr = (U_8*)utf8;
-
+	/*
+	 * Need to check the UTF8 to verify that it is either in a J9MemorySegment or in the
+	 * SCC.
+	 */
 	if (_checkRangeInSharedCache) {
-		return FALSE != j9shr_Query_IsAddressInCache(_javaVM, utf8, J9UTF8_TOTAL_SIZE(utf8));
+		/* Need to check if the header (length field) is in range first, before reading the length
+		 * to determine if the rest of the data is in range. Failure to do so results in potentially
+		 * dereferencing inaccessible memory.
+		 */
+		return j9shr_Query_IsAddressInCache(_javaVM, utf8, sizeof(J9UTF8))
+				&& j9shr_Query_IsAddressInCache(_javaVM, utf8, J9UTF8_TOTAL_SIZE(utf8));
 	} else {
 		UDATA maxLength = getMaximumValidLengthForPtrInSegment(ptr);