# HG changeset patch
# User mgerdin
# Date 1383143725 -3600
# Node ID ea79ab313e985747510439fdc1eb9cf147e7084c
# Parent  1a04de1aaedb6e64182a75b1803d117fe5289893
8027252: Crash in interpreter because get_unsigned_2_byte_index_at_bcp reads 4 bytes
Summary: Use 2-byte loads to load indexes from the byte code stream to avoid out of bounds reads.
Reviewed-by: coleenp, sspitsyn

diff -r 1a04de1aaedb -r ea79ab313e98 src/cpu/x86/vm/interp_masm_x86_32.cpp
--- a/src/cpu/x86/vm/interp_masm_x86_32.cpp	Mon Oct 28 21:41:48 2013 +0400
+++ b/src/cpu/x86/vm/interp_masm_x86_32.cpp	Wed Oct 30 15:35:25 2013 +0100
@@ -196,7 +196,7 @@
 
 void InterpreterMacroAssembler::get_unsigned_2_byte_index_at_bcp(Register reg, int bcp_offset) {
   assert(bcp_offset >= 0, "bcp is still pointing to start of bytecode");
-  movl(reg, Address(rsi, bcp_offset));
+  load_unsigned_short(reg, Address(rsi, bcp_offset));
   bswapl(reg);
   shrl(reg, 16);
 }
diff -r 1a04de1aaedb -r ea79ab313e98 src/cpu/x86/vm/interp_masm_x86_64.cpp
--- a/src/cpu/x86/vm/interp_masm_x86_64.cpp	Mon Oct 28 21:41:48 2013 +0400
+++ b/src/cpu/x86/vm/interp_masm_x86_64.cpp	Wed Oct 30 15:35:25 2013 +0100
@@ -192,7 +192,7 @@
   Register reg,
   int bcp_offset) {
   assert(bcp_offset >= 0, "bcp is still pointing to start of bytecode");
-  movl(reg, Address(r13, bcp_offset));
+  load_unsigned_short(reg, Address(r13, bcp_offset));
   bswapl(reg);
   shrl(reg, 16);
 }
diff -r 1a04de1aaedb -r ea79ab313e98 src/cpu/x86/vm/templateTable_x86_32.cpp
--- a/src/cpu/x86/vm/templateTable_x86_32.cpp	Mon Oct 28 21:41:48 2013 +0400
+++ b/src/cpu/x86/vm/templateTable_x86_32.cpp	Wed Oct 30 15:35:25 2013 +0100
@@ -558,7 +558,7 @@
 
 
 void TemplateTable::locals_index_wide(Register reg) {
-  __ movl(reg, at_bcp(2));
+  __ load_unsigned_short(reg, at_bcp(2));
   __ bswapl(reg);
   __ shrl(reg, 16);
   __ negptr(reg);
@@ -1552,7 +1552,11 @@
                               InvocationCounter::counter_offset();
 
   // Load up EDX with the branch displacement
-  __ movl(rdx, at_bcp(1));
+  if (is_wide) {
+    __ movl(rdx, at_bcp(1));
+  } else {
+    __ load_signed_short(rdx, at_bcp(1));
+  }
   __ bswapl(rdx);
   if (!is_wide) __ sarl(rdx, 16);
   LP64_ONLY(__ movslq(rdx, rdx));
diff -r 1a04de1aaedb -r ea79ab313e98 src/cpu/x86/vm/templateTable_x86_64.cpp
--- a/src/cpu/x86/vm/templateTable_x86_64.cpp	Mon Oct 28 21:41:48 2013 +0400
+++ b/src/cpu/x86/vm/templateTable_x86_64.cpp	Wed Oct 30 15:35:25 2013 +0100
@@ -568,7 +568,7 @@
 }
 
 void TemplateTable::locals_index_wide(Register reg) {
-  __ movl(reg, at_bcp(2));
+  __ load_unsigned_short(reg, at_bcp(2));
   __ bswapl(reg);
   __ shrl(reg, 16);
   __ negptr(reg);
@@ -1575,7 +1575,11 @@
                               InvocationCounter::counter_offset();
 
   // Load up edx with the branch displacement
-  __ movl(rdx, at_bcp(1));
+  if (is_wide) {
+    __ movl(rdx, at_bcp(1));
+  } else {
+    __ load_signed_short(rdx, at_bcp(1));
+  }
   __ bswapl(rdx);
 
   if (!is_wide) {