Merge pull request #21641 from pshipton/sendslots0.51

tajila · web-flow · commit 411e7744e928 · 2025-04-14T16:46:26.000-04:00
(0.51) Limit iterations of signature loop
diff --git a/runtime/util/sendslot.c b/runtime/util/sendslot.c
@@ -22,6 +22,7 @@
 
 #include "j9.h"
 #include "util_internal.h"
+#include <stdint.h>
 
 /* there is no error checking: the signature MUST be well-formed */
 UDATA
@@ -30,21 +31,25 @@ getSendSlotsFromSignature(const U_8* signature)
 	UDATA sendArgs = 0;
 	UDATA i = 1; /* 1 to skip the opening '(' */
 
-	for (; ; i++) {
+	/* All UTF8 in the class file have a size represented by uint16_t. The size check
+	 * is only necessary for ASGCT where the signature provided may not be valid,
+	 * but is harmless in the normal runtime case.
+	 */
+	for (; i <= UINT16_MAX; i++) {
 		switch (signature[i]) {
 		case ')':
-			return sendArgs;
+			goto done;
 		case '[':
 			/* skip all '['s */
-			for (i++; signature[i] == '['; i++);
+			for (i++; (i <= UINT16_MAX) && (signature[i] == '['); i++);
 			if (signature[i] == 'L') {
 				/* FALL THRU */
 			} else {
 				sendArgs++;
 				break;
 			}
 		case 'L':
-			for (i++; signature[i] != ';'; i++);
+			for (i++; (i <= UINT16_MAX) && (signature[i] != ';'); i++);
 			sendArgs++;
 			break;
 		case 'D':
@@ -57,5 +62,7 @@ getSendSlotsFromSignature(const U_8* signature)
 			break;
 		}
 	}
+done:
+	return sendArgs;
 }
 
