8234418: Better parsing with CertificateFactory

seanjmullan · seanjmullan · commit d285fd6dced0 · 2020-02-06T09:36:51.000-05:00
Reviewed-by: weijun, mschoene, rhalade
diff --git a/src/java.base/share/classes/sun/security/util/DerInputBuffer.java b/src/java.base/share/classes/sun/security/util/DerInputBuffer.java
@@ -354,8 +354,12 @@ private Date getTime(int len, boolean generalized) throws IOException {
             second += toDigit(buf[pos++], type);
             len -= 2;
             // handle fractional seconds (if present)
-            if (buf[pos] == '.' || buf[pos] == ',') {
+            if (generalized && (buf[pos] == '.' || buf[pos] == ',')) {
                 len --;
+                if (len == 0) {
+                    throw new IOException("Parse " + type +
+                            " time, empty fractional part");
+                }
                 pos++;
                 int precision = 0;
                 while (buf[pos] != 'Z' &&
@@ -365,6 +369,11 @@ private Date getTime(int len, boolean generalized) throws IOException {
                     // store millisecond precision only
                     int thisDigit = toDigit(buf[pos], type);
                     precision++;
+                    len--;
+                    if (len == 0) {
+                        throw new IOException("Parse " + type +
+                                " time, invalid fractional part");
+                    }
                     pos++;
                     switch (precision) {
                         case 1:
@@ -382,7 +391,6 @@ private Date getTime(int len, boolean generalized) throws IOException {
                     throw new IOException("Parse " + type +
                             " time, empty fractional part");
                 }
-                len -= precision;
             }
         } else
             second = 0;
@@ -412,6 +420,9 @@ private Date getTime(int len, boolean generalized) throws IOException {
 
         switch (buf[pos++]) {
         case '+':
+            if (len != 5) {
+                throw new IOException("Parse " + type + " time, invalid offset");
+            }
             hr = 10 * toDigit(buf[pos++], type);
             hr += toDigit(buf[pos++], type);
             min = 10 * toDigit(buf[pos++], type);
@@ -424,6 +435,9 @@ private Date getTime(int len, boolean generalized) throws IOException {
             break;
 
         case '-':
+            if (len != 5) {
+                throw new IOException("Parse " + type + " time, invalid offset");
+            }
             hr = 10 * toDigit(buf[pos++], type);
             hr += toDigit(buf[pos++], type);
             min = 10 * toDigit(buf[pos++], type);
@@ -436,6 +450,9 @@ private Date getTime(int len, boolean generalized) throws IOException {
             break;
 
         case 'Z':
+            if (len != 1) {
+                throw new IOException("Parse " + type + " time, invalid format");
+            }
             break;
 
         default:
