openjdk
diff --git a/‎make/data/currency/CurrencyData.properties‎
Lines changed: 4 additions & 4 deletions b/‎make/data/currency/CurrencyData.properties‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎src/hotspot/share/classfile/stackMapTable.cpp‎
Lines changed: 9 additions & 1 deletion b/‎src/hotspot/share/classfile/stackMapTable.cpp‎
Lines changed: 9 additions & 1 deletion
diff --git a/‎src/hotspot/share/classfile/stackMapTable.hpp‎
Lines changed: 1 addition & 1 deletion b/‎src/hotspot/share/classfile/stackMapTable.hpp‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/hotspot/share/classfile/verifier.cpp‎
Lines changed: 19 additions & 16 deletions b/‎src/hotspot/share/classfile/verifier.cpp‎
Lines changed: 19 additions & 16 deletions
diff --git a/‎src/hotspot/share/interpreter/bytecodeStream.hpp‎
Lines changed: 17 additions & 2 deletions b/‎src/hotspot/share/interpreter/bytecodeStream.hpp‎
Lines changed: 17 additions & 2 deletions
diff --git a/‎src/java.base/share/classes/sun/security/util/DerValue.java‎
Lines changed: 16 additions & 0 deletions b/‎src/java.base/share/classes/sun/security/util/DerValue.java‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎src/java.base/share/classes/sun/security/x509/AVA.java‎
Lines changed: 52 additions & 3 deletions b/‎src/java.base/share/classes/sun/security/x509/AVA.java‎
Lines changed: 52 additions & 3 deletions
diff --git a/‎src/java.base/share/native/libverify/check_code.c‎
Lines changed: 28 additions & 11 deletions b/‎src/java.base/share/native/libverify/check_code.c‎
Lines changed: 28 additions & 11 deletions
@@ -32,7 +32,7 @@ formatVersion=3
 # Version of the currency code information in this class.
 # It is a serial number that accompanies with each amendment.
 
-dataVersion=179
+dataVersion=180
 
 # List of all valid ISO 4217 currency codes.
 # To ensure compatibility, do not remove codes.
@@ -147,7 +147,7 @@ IO=USD
 # BRUNEI DARUSSALAM
 BN=BND
 # BULGARIA
-BG=BGN
+BG=BGN;2025-12-31-22-00-00;EUR
 # BURKINA FASO
 BF=XOF
 # BURUNDI
@@ -193,7 +193,7 @@ HR=EUR
 # CUBA
 CU=CUP
 # Cura\u00e7ao
-CW=ANG;2025-04-01-04-00-00;XCG
+CW=XCG
 # CYPRUS
 CY=EUR
 # CZECHIA
@@ -510,7 +510,7 @@ SR=SRD
 # SVALBARD AND JAN MAYEN
 SJ=NOK
 # Sint Maarten (Dutch part)
-SX=ANG;2025-04-01-04-00-00;XCG
+SX=XCG
 # ESWATINI
 SZ=SZL
 # SWEDEN
 
@@ -122,8 +122,16 @@ bool StackMapTable::match_stackmap(
 }
 
 void StackMapTable::check_jump_target(
- StackMapFrame* frame, int32_t target, TRAPS) const {
+ StackMapFrame* frame, int bci, int offset, TRAPS) const {
  ErrorContext ctx;
+ // Jump targets must be within the method and the method size is limited. See JVMS 4.11
+ int min_offset = -1 * max_method_code_size;
+ if (offset < min_offset || offset > max_method_code_size) {
+ frame->verifier()->verify_error(ErrorContext::bad_stackmap(bci, frame),
+ "Illegal target of jump or branch (bci %d + offset %d)", bci, offset);
+ return;
+ }
+ int target = bci + offset;
  bool match = match_stackmap(
  frame, target, true, false, &ctx, CHECK_VERIFY(frame->verifier()));
  if (!match || (target < 0 || target >= _code_length)) {
 
@@ -69,7 +69,7 @@ class StackMapTable : public StackObj {
 
  // Check jump instructions. Make sure there are no uninitialized
  // instances on backward branch.
- void check_jump_target(StackMapFrame* frame, int32_t target, TRAPS) const;
+ void check_jump_target(StackMapFrame* frame, int bci, int offset, TRAPS) const;
 
  // The following methods are only used inside this class.
 
 
@@ -717,7 +717,6 @@ void ClassVerifier::verify_method(const methodHandle& m, TRAPS) {
  // Merge with the next instruction
  {
  u2 index;
- int target;
  VerificationType type, type2;
  VerificationType atype;
 
@@ -1534,9 +1533,8 @@ void ClassVerifier::verify_method(const methodHandle& m, TRAPS) {
  case Bytecodes::_ifle:
  current_frame.pop_stack(
  VerificationType::integer_type(), CHECK_VERIFY(this));
- target = bcs.dest();
  stackmap_table.check_jump_target(
- &current_frame, target, CHECK_VERIFY(this));
+ &current_frame, bcs.bci(), bcs.get_offset_s2(), CHECK_VERIFY(this));
  no_control_flow = false; break;
  case Bytecodes::_if_acmpeq :
  case Bytecodes::_if_acmpne :
@@ -1547,19 +1545,16 @@ void ClassVerifier::verify_method(const methodHandle& m, TRAPS) {
  case Bytecodes::_ifnonnull :
  current_frame.pop_stack(
  VerificationType::reference_check(), CHECK_VERIFY(this));
- target = bcs.dest();
  stackmap_table.check_jump_target
- (&current_frame, target, CHECK_VERIFY(this));
+ (&current_frame, bcs.bci(), bcs.get_offset_s2(), CHECK_VERIFY(this));
  no_control_flow = false; break;
  case Bytecodes::_goto :
- target = bcs.dest();
  stackmap_table.check_jump_target(
- &current_frame, target, CHECK_VERIFY(this));
+ &current_frame, bcs.bci(), bcs.get_offset_s2(), CHECK_VERIFY(this));
  no_control_flow = true; break;
  case Bytecodes::_goto_w :
- target = bcs.dest_w();
  stackmap_table.check_jump_target(
- &current_frame, target, CHECK_VERIFY(this));
+ &current_frame, bcs.bci(), bcs.get_offset_s4(), CHECK_VERIFY(this));
  no_control_flow = true; break;
  case Bytecodes::_tableswitch :
  case Bytecodes::_lookupswitch :
@@ -2208,15 +2203,14 @@ void ClassVerifier::verify_switch(
  }
  }
  }
- int target = bci + default_offset;
- stackmap_table->check_jump_target(current_frame, target, CHECK_VERIFY(this));
+ stackmap_table->check_jump_target(current_frame, bci, default_offset, CHECK_VERIFY(this));
  for (int i = 0; i < keys; i++) {
  // Because check_jump_target() may safepoint, the bytecode could have
  // moved, which means 'aligned_bcp' is no good and needs to be recalculated.
  aligned_bcp = align_up(bcs->bcp() + 1, jintSize);
- target = bci + (jint)Bytes::get_Java_u4(aligned_bcp+(3+i*delta)*jintSize);
+ int offset = (jint)Bytes::get_Java_u4(aligned_bcp+(3+i*delta)*jintSize);
  stackmap_table->check_jump_target(
- current_frame, target, CHECK_VERIFY(this));
+ current_frame, bci, offset, CHECK_VERIFY(this));
  }
  NOT_PRODUCT(aligned_bcp = NULL); // no longer valid at this point
 }
@@ -2479,8 +2473,13 @@ bool ClassVerifier::ends_in_athrow(u4 start_bc_offset) {
  break;
 
  case Bytecodes::_goto:
- case Bytecodes::_goto_w:
- target = (opcode == Bytecodes::_goto ? bcs.dest() : bcs.dest_w());
+ case Bytecodes::_goto_w: {
+ int offset = (opcode == Bytecodes::_goto ? bcs.get_offset_s2() : bcs.get_offset_s4());
+ int min_offset = -1 * max_method_code_size;
+ // Check offset for overflow
+ if (offset < min_offset || offset > max_method_code_size) return false;
+
+ target = bci + offset;
  if (visited_branches->contains(bci)) {
  if (bci_stack->is_empty()) {
  if (handler_stack->is_empty()) {
@@ -2501,6 +2500,7 @@ bool ClassVerifier::ends_in_athrow(u4 start_bc_offset) {
  visited_branches->append(bci);
  }
  break;
+ }
 
  // Check that all switch alternatives end in 'athrow' bytecodes. Since it
  // is difficult to determine where each switch alternative ends, parse
@@ -2537,7 +2537,10 @@ bool ClassVerifier::ends_in_athrow(u4 start_bc_offset) {
 
  // Push the switch alternatives onto the stack.
  for (int i = 0; i < keys; i++) {
- u4 target = bci + (jint)Bytes::get_Java_u4(aligned_bcp+(3+i*delta)*jintSize);
+ int min_offset = -1 * max_method_code_size;
+ int offset = (jint)Bytes::get_Java_u4(aligned_bcp+(3+i*delta)*jintSize);
+ if (offset < min_offset || offset > max_method_code_size) return false;
+ u4 target = bci + offset;
  if (target > code_length) return false;
  bci_stack->push(target);
  }
 
@@ -100,8 +100,23 @@ class BaseBytecodeStream: StackObj {
  void set_next_bci(int bci) { assert(0 <= bci && bci <= method()->code_size(), "illegal bci"); _next_bci = bci; }
 
  // Bytecode-specific attributes
- int dest() const { return bci() + bytecode().get_offset_s2(raw_code()); }
- int dest_w() const { return bci() + bytecode().get_offset_s4(raw_code()); }
+ int get_offset_s2() const { return bytecode().get_offset_s2(raw_code()); }
+ int get_offset_s4() const { return bytecode().get_offset_s4(raw_code()); }
+
+ // These methods are not safe to use before or during verification as they may
+ // have large offsets and cause overflows
+ int dest() const {
+ int min_offset = -1 * max_method_code_size;
+ int offset = bytecode().get_offset_s2(raw_code());
+ guarantee(offset >= min_offset && offset <= max_method_code_size, "must be");
+ return bci() + offset;
+ }
+ int dest_w() const {
+ int min_offset = -1 * max_method_code_size;
+ int offset = bytecode().get_offset_s4(raw_code());
+ guarantee(offset >= min_offset && offset <= max_method_code_size, "must be");
+ return bci() + offset;
+ }
 
  // One-byte indices.
  int get_index_u1() const { assert_raw_index_size(1); return *(jubyte*)(bcp()+1); }
 
@@ -821,6 +821,22 @@ public boolean equals(Object o) {
  doEquals(other, this);
  }
 
+ /**
+ * Checks that the BMPString does not contain any surrogate characters,
+ * which are outside the Basic Multilingual Plane.
+ *
+ * @throws IOException if illegal characters are detected
+ */
+ public void validateBMPString() throws IOException {
+ String bmpString = getBMPString();
+ for (int i = 0; i < bmpString.length(); i++) {
+ if (Character.isSurrogate(bmpString.charAt(i))) {
+ throw new IOException(
+ "Illegal character in BMPString, index: " + i);
+ }
+ }
+ }
+
  /**
  * Helper for public method equals()
  */
 
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -30,9 +30,14 @@
 import java.io.OutputStream;
 import java.io.Reader;
 import java.security.AccessController;
+import java.nio.charset.Charset;
 import java.text.Normalizer;
 import java.util.*;
 
+import static java.nio.charset.StandardCharsets.ISO_8859_1;
+import static java.nio.charset.StandardCharsets.UTF_8;
+import static java.nio.charset.StandardCharsets.UTF_16BE;
+
 import sun.security.action.GetBooleanAction;
 import sun.security.util.*;
 import sun.security.pkcs.PKCS9Attribute;
@@ -606,6 +611,10 @@ private static boolean trailingSpace(Reader in) throws IOException {
  throw new IOException("AVA, extra bytes = "
  + derval.data.available());
  }
+
+ if (value.tag == DerValue.tag_BMPString) {
+ value.validateBMPString();
+ }
  }
 
  AVA(DerInputStream in) throws IOException {
@@ -753,7 +762,7 @@ public String toRFC2253String(Map<String, String> oidMap) {
  */
  String valStr = null;
  try {
- valStr = new String(value.getDataBytes(), "UTF8");
+ valStr = new String(value.getDataBytes(), getCharset(value, false));
  } catch (IOException ie) {
  throw new IllegalArgumentException("DER Value conversion");
  }
@@ -906,7 +915,7 @@ public String toRFC2253CanonicalString() {
  */
  String valStr = null;
  try {
- valStr = new String(value.getDataBytes(), "UTF8");
+ valStr = new String(value.getDataBytes(), getCharset(value, true));
  } catch (IOException ie) {
  throw new IllegalArgumentException("DER Value conversion");
  }
@@ -1026,6 +1035,46 @@ private static boolean isDerString(DerValue value, boolean canonical) {
  }
  }
 
+ /*
+ * Returns the charset that should be used to decode each DN string type.
+ *
+ * This method ensures that multi-byte (UTF8String and BMPString) types
+ * are decoded using the correct charset and the String forms represent
+ * the correct characters. For 8-bit ASCII-based types (PrintableString
+ * and IA5String), we return ISO_8859_1 rather than ASCII, so that the
+ * complete range of characters can be represented, as many certificates
+ * do not comply with the Internationalized Domain Name ACE format.
+ *
+ * NOTE: this method only supports DirectoryStrings of the types returned
+ * by isDerString().
+ */
+ private static Charset getCharset(DerValue value, boolean canonical) {
+ if (canonical) {
+ switch (value.tag) {
+ case DerValue.tag_PrintableString:
+ return ISO_8859_1;
+ case DerValue.tag_UTF8String:
+ return UTF_8;
+ default:
+ throw new Error("unexpected tag: " + value.tag);
+ }
+ }
+
+ switch (value.tag) {
+ case DerValue.tag_PrintableString:
+ case DerValue.tag_T61String:
+ case DerValue.tag_IA5String:
+ case DerValue.tag_GeneralString:
+ return ISO_8859_1;
+ case DerValue.tag_BMPString:
+ return UTF_16BE;
+ case DerValue.tag_UTF8String:
+ return UTF_8;
+ default:
+ throw new Error("unexpected tag: " + value.tag);
+ }
+ }
+
  boolean hasRFC2253Keyword() {
  return AVAKeyword.hasKeyword(oid, RFC2253);
  }
 
@@ -398,7 +398,8 @@ static jboolean is_superclass(context_type *, fullinfo_type);
 
 static void initialize_exception_table(context_type *);
 static int instruction_length(unsigned char *iptr, unsigned char *end);
-static jboolean isLegalTarget(context_type *, int offset);
+static jboolean isLegalOffset(context_type *, int bci, int offset);
+static jboolean isLegalTarget(context_type *, int target);
 static void verify_constant_pool_type(context_type *, int, unsigned);
 
 static void initialize_dataflow(context_type *);
@@ -1169,9 +1170,9 @@ verify_opcode_operands(context_type *context, unsigned int inumber, int offset)
  case JVM_OPC_goto: {
  /* Set the ->operand to be the instruction number of the target. */
  int jump = (((signed char)(code[offset+1])) << 8) + code[offset+2];
- int target = offset + jump;
- if (!isLegalTarget(context, target))
+ if (!isLegalOffset(context, offset, jump))
  CCerror(context, "Illegal target of jump or branch");
+ int target = offset + jump;
  this_idata->operand.i = code_data[target];
  break;
  }
@@ -1185,9 +1186,9 @@ verify_opcode_operands(context_type *context, unsigned int inumber, int offset)
  int jump = (((signed char)(code[offset+1])) << 24) +
  (code[offset+2] << 16) + (code[offset+3] << 8) +
  (code[offset + 4]);
- int target = offset + jump;
- if (!isLegalTarget(context, target))
+ if (!isLegalOffset(context, offset, jump))
  CCerror(context, "Illegal target of jump or branch");
+ int target = offset + jump;
  this_idata->operand.i = code_data[target];
  break;
  }
@@ -1226,13 +1227,16 @@ verify_opcode_operands(context_type *context, unsigned int inumber, int offset)
  }
  }
  saved_operand = NEW(int, keys + 2);
- if (!isLegalTarget(context, offset + _ck_ntohl(lpc[0])))
+ int jump = _ck_ntohl(lpc[0]);
+ if (!isLegalOffset(context, offset, jump))
  CCerror(context, "Illegal default target in switch");
- saved_operand[keys + 1] = code_data[offset + _ck_ntohl(lpc[0])];
+ int target = offset + jump;
+ saved_operand[keys + 1] = code_data[target];
  for (k = keys, lptr = &lpc[3]; --k >= 0; lptr += delta) {
- int target = offset + _ck_ntohl(lptr[0]);
- if (!isLegalTarget(context, target))
+ jump = _ck_ntohl(lptr[0]);
+ if (!isLegalOffset(context, offset, jump))
  CCerror(context, "Illegal branch in tableswitch");
+ target = offset + jump;
  saved_operand[k + 1] = code_data[target];
  }
  saved_operand[0] = keys + 1; /* number of successors */
@@ -1756,11 +1760,24 @@ static int instruction_length(unsigned char *iptr, unsigned char *end)
 
 /* Given the target of a branch, make sure that it's a legal target. */
 static jboolean
-isLegalTarget(context_type *context, int offset)
+isLegalTarget(context_type *context, int target)
+{
+ int code_length = context->code_length;
+ int *code_data = context->code_data;
+ return (target >= 0 && target < code_length && code_data[target] >= 0);
+}
+
+/* Given a bci and offset, make sure the offset is valid and the target is legal */
+static jboolean
+isLegalOffset(context_type *context, int bci, int offset)
 {
  int code_length = context->code_length;
  int *code_data = context->code_data;
- return (offset >= 0 && offset < code_length && code_data[offset] >= 0);
+ int max_offset = 65535; // JVMS 4.11
+ int min_offset = -65535;
+ if (offset < min_offset || offset > max_offset) return JNI_FALSE;
+ int target = bci + offset;
+ return (target >= 0 && target < code_length && code_data[target] >= 0);
 }