8271335: Updating RE Configs for BUILD REQUEST 17.0.1+4

Reviewed-by: rsunderbabu, tvoniadka, coffeys

make/conf/version-numbers.conf

@@ -28,15 +28,15 @@
 
 DEFAULT_VERSION_FEATURE=17
 DEFAULT_VERSION_INTERIM=0
-DEFAULT_VERSION_UPDATE=0
+DEFAULT_VERSION_UPDATE=1
 DEFAULT_VERSION_PATCH=0
 DEFAULT_VERSION_EXTRA1=0
 DEFAULT_VERSION_EXTRA2=0
 DEFAULT_VERSION_EXTRA3=0
-DEFAULT_VERSION_DATE=2021-09-14
+DEFAULT_VERSION_DATE=2021-10-19
 DEFAULT_VERSION_CLASSFILE_MAJOR=61  # "`$EXPR $DEFAULT_VERSION_FEATURE + 44`"
 DEFAULT_VERSION_CLASSFILE_MINOR=0
 DEFAULT_VERSION_DOCS_API_SINCE=11
 DEFAULT_ACCEPTABLE_BOOT_VERSIONS="16 17"
 DEFAULT_JDK_SOURCE_TARGET_VERSION=17
-DEFAULT_PROMOTED_VERSION_PRE=ea
+DEFAULT_PROMOTED_VERSION_PRE=

src/hotspot/share/classfile/classFileParser.cpp

@@ -3135,6 +3135,13 @@ u2 ClassFileParser::parse_classfile_inner_classes_attribute(const ClassFileStrea
         valid_klass_reference_at(outer_class_info_index),
       "outer_class_info_index %u has bad constant type in class file %s",
       outer_class_info_index, CHECK_0);
+
+    if (outer_class_info_index != 0) {
+      const Symbol* const outer_class_name = cp->klass_name_at(outer_class_info_index);
+      char* bytes = (char*)outer_class_name->bytes();
+      guarantee_property(bytes[0] != JVM_SIGNATURE_ARRAY,
+                         "Outer class is an array class in class file %s", CHECK_0);
+    }
     // Inner class name
     const u2 inner_name_index = cfs->get_u2_fast();
     check_property(

src/hotspot/share/classfile/verifier.cpp

@@ -2316,6 +2316,7 @@ void ClassVerifier::verify_field_instructions(RawBytecodeStream* bcs,
   // Get field name and signature
   Symbol* field_name = cp->name_ref_at(index);
   Symbol* field_sig = cp->signature_ref_at(index);
+  bool is_getfield = false;
 
   // Field signature was checked in ClassFileParser.
   assert(SignatureVerifier::is_valid_type_signature(field_sig),
@@ -2362,11 +2363,9 @@ void ClassVerifier::verify_field_instructions(RawBytecodeStream* bcs,
       break;
     }
     case Bytecodes::_getfield: {
+      is_getfield = true;
       stack_object_type = current_frame->pop_stack(
         target_class_type, CHECK_VERIFY(this));
-      for (int i = 0; i < n; i++) {
-        current_frame->push_stack(field_type[i], CHECK_VERIFY(this));
-      }
       goto check_protected;
     }
     case Bytecodes::_putfield: {
@@ -2396,7 +2395,15 @@ void ClassVerifier::verify_field_instructions(RawBytecodeStream* bcs,
     check_protected: {
       if (_this_type == stack_object_type)
         break; // stack_object_type must be assignable to _current_class_type
-      if (was_recursively_verified()) return;
+      if (was_recursively_verified()) {
+        if (is_getfield) {
+          // Push field type for getfield.
+          for (int i = 0; i < n; i++) {
+            current_frame->push_stack(field_type[i], CHECK_VERIFY(this));
+          }
+        }
+        return;
+      }
       Symbol* ref_class_name =
         cp->klass_name_at(cp->klass_ref_index_at(index));
       if (!name_in_supers(ref_class_name, current_class()))
@@ -2425,6 +2432,12 @@ void ClassVerifier::verify_field_instructions(RawBytecodeStream* bcs,
     }
     default: ShouldNotReachHere();
   }
+  if (is_getfield) {
+    // Push field type for getfield after doing protection check.
+    for (int i = 0; i < n; i++) {
+      current_frame->push_stack(field_type[i], CHECK_VERIFY(this));
+    }
+  }
 }
 
 // Look at the method's handlers.  If the bci is in the handler's try block

src/hotspot/share/oops/instanceKlass.cpp

@@ -3011,6 +3011,18 @@ InstanceKlass* InstanceKlass::compute_enclosing_class(bool* inner_is_member, TRA
     constantPoolHandle i_cp(THREAD, constants());
     if (ooff != 0) {
       Klass* ok = i_cp->klass_at(ooff, CHECK_NULL);
+      if (!ok->is_instance_klass()) {
+        // If the outer class is not an instance klass then it cannot have
+        // declared any inner classes.
+        ResourceMark rm(THREAD);
+        Exceptions::fthrow(
+          THREAD_AND_LOCATION,
+          vmSymbols::java_lang_IncompatibleClassChangeError(),
+          "%s and %s disagree on InnerClasses attribute",
+          ok->external_name(),
+          external_name());
+        return NULL;
+      }
       outer_klass = InstanceKlass::cast(ok);
       *inner_is_member = true;
     }

src/java.base/share/classes/java/net/URLClassLoader.java

@@ -427,6 +427,11 @@ public class URLClassLoader extends SecureClassLoader implements Closeable {
                                 return defineClass(name, res);
                             } catch (IOException e) {
                                 throw new ClassNotFoundException(name, e);
+                            } catch (ClassFormatError e2) {
+                                if (res.getDataError() != null) {
+                                    e2.addSuppressed(res.getDataError());
+                                }
+                                throw e2;
                             }
                         } else {
                             return null;

src/java.base/share/classes/java/util/HashMap.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -27,6 +27,7 @@ package java.util;
 
 import java.io.IOException;
 import java.io.InvalidObjectException;
+import java.io.ObjectInputStream;
 import java.io.Serializable;
 import java.lang.reflect.ParameterizedType;
 import java.lang.reflect.Type;
@@ -1504,23 +1505,28 @@ public class HashMap<K,V> extends AbstractMap<K,V>
      * @throws IOException if an I/O error occurs
      */
     @java.io.Serial
-    private void readObject(java.io.ObjectInputStream s)
+    private void readObject(ObjectInputStream s)
         throws IOException, ClassNotFoundException {
-        // Read in the threshold (ignored), loadfactor, and any hidden stuff
+
-        s.defaultReadObject();
+        ObjectInputStream.GetField fields = s.readFields();
+
+        // Read loadFactor (ignore threshold)
+        float lf = fields.get("loadFactor", 0.75f);
+        if (lf <= 0 || Float.isNaN(lf))
+            throw new InvalidObjectException("Illegal load factor: " + lf);
+
+        lf = Math.min(Math.max(0.25f, lf), 4.0f);
+        HashMap.UnsafeHolder.putLoadFactor(this, lf);
+
         reinitialize();
-        if (loadFactor <= 0 || Float.isNaN(loadFactor))
+
-            throw new InvalidObjectException("Illegal load factor: " +
-                                             loadFactor);
         s.readInt();                // Read and ignore number of buckets
         int mappings = s.readInt(); // Read number of mappings (size)
-        if (mappings < 0)
+        if (mappings < 0) {
-            throw new InvalidObjectException("Illegal mappings count: " +
+            throw new InvalidObjectException("Illegal mappings count: " + mappings);
-                                             mappings);
+        } else if (mappings == 0) {
-        else if (mappings > 0) { // (if zero, use defaults)
+            // use defaults
-            // Size the table using given load factor only if within
+        } else if (mappings > 0) {
-            // range of 0.25...4.0
-            float lf = Math.min(Math.max(0.25f, loadFactor), 4.0f);
             float fc = (float)mappings / lf + 1.0f;
             int cap = ((fc < DEFAULT_INITIAL_CAPACITY) ?
                        DEFAULT_INITIAL_CAPACITY :
@@ -1549,6 +1555,18 @@ public class HashMap<K,V> extends AbstractMap<K,V>
         }
     }
 
+    // Support for resetting final field during deserializing
+    private static final class UnsafeHolder {
+        private UnsafeHolder() { throw new InternalError(); }
+        private static final jdk.internal.misc.Unsafe unsafe
+                = jdk.internal.misc.Unsafe.getUnsafe();
+        private static final long LF_OFFSET
+                = unsafe.objectFieldOffset(HashMap.class, "loadFactor");
+        static void putLoadFactor(HashMap<?, ?> map, float lf) {
+            unsafe.putFloat(map, LF_OFFSET, lf);
+        }
+    }
+
     /* ------------------------------------------------------------ */
     // iterators
 

src/java.base/share/classes/java/util/HashSet.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -297,8 +297,8 @@ public class HashSet<E>
     @java.io.Serial
     private void readObject(java.io.ObjectInputStream s)
         throws java.io.IOException, ClassNotFoundException {
-        // Read in any hidden serialization magic
+        // Consume and ignore stream fields (currently zero).
-        s.defaultReadObject();
+        s.readFields();
 
         // Read capacity and verify non-negative.
         int capacity = s.readInt();
@@ -313,12 +313,13 @@ public class HashSet<E>
             throw new InvalidObjectException("Illegal load factor: " +
                                              loadFactor);
         }
+        // Clamp load factor to range of 0.25...4.0.
+        loadFactor = Math.min(Math.max(0.25f, loadFactor), 4.0f);
 
         // Read size and verify non-negative.
         int size = s.readInt();
         if (size < 0) {
-            throw new InvalidObjectException("Illegal size: " +
+            throw new InvalidObjectException("Illegal size: " + size);
-                                             size);
         }
 
         // Set the capacity according to the size and load factor ensuring that

src/java.base/share/classes/java/util/jar/JarFile.java

@@ -795,7 +795,7 @@ public class JarFile extends ZipFile {
         try (InputStream is = super.getInputStream(ze)) {
             long uncompressedSize = ze.getSize();
             if (uncompressedSize > MAX_ARRAY_SIZE) {
-                throw new OutOfMemoryError("Required array size too large");
+                throw new IOException("Unsupported size: " + uncompressedSize);
             }
             int len = (int)uncompressedSize;
             int bytesRead;

src/java.base/share/classes/jdk/internal/loader/Resource.java

@@ -187,4 +187,12 @@ public abstract class Resource {
     public CodeSigner[] getCodeSigners() {
         return null;
     }
+
+    /**
+     * Returns non-fatal reading error during data retrieval if there's any.
+     * For example, CRC error when reading a JAR entry.
+     */
+    public Exception getDataError() {
+        return null;
+    }
 }

src/java.base/share/classes/jdk/internal/loader/URLClassPath.java

@@ -61,6 +61,7 @@ import java.util.Properties;
 import java.util.Set;
 import java.util.StringTokenizer;
 import java.util.jar.JarFile;
+import java.util.zip.CRC32;
 import java.util.zip.ZipEntry;
 import java.util.jar.JarEntry;
 import java.util.jar.Manifest;
@@ -870,6 +871,7 @@ public class URLClassPath {
             }
 
             return new Resource() {
+                private Exception dataError = null;
                 public String getName() { return name; }
                 public URL getURL() { return url; }
                 public URL getCodeSourceURL() { return csu; }
@@ -885,6 +887,18 @@ public class URLClassPath {
                     { return entry.getCertificates(); };
                 public CodeSigner[] getCodeSigners()
                     { return entry.getCodeSigners(); };
+                public Exception getDataError()
+                    { return dataError; }
+                public byte[] getBytes() throws IOException {
+                    byte[] bytes = super.getBytes();
+                    CRC32 crc32 = new CRC32();
+                    crc32.update(bytes);
+                    if (crc32.getValue() != entry.getCrc()) {
+                        dataError = new IOException(
+                                "CRC error while extracting entry from JAR file");
+                    }
+                    return bytes;
+                }
             };
         }
 

src/java.base/share/classes/sun/security/pkcs/SignerInfo.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -504,6 +504,14 @@ public class SignerInfo implements DerEncoder {
             case "RSASSA-PSS":
                 PSSParameterSpec spec = (PSSParameterSpec)
                         SignatureUtil.getParamSpec(encAlg, encAlgId.getParameters());
+                /*
+                 * RFC 4056 section 3 for Signed-data:
+                 * signatureAlgorithm MUST contain id-RSASSA-PSS. The algorithm
+                 * parameters field MUST contain RSASSA-PSS-params.
+                 */
+                if (spec == null) {
+                    throw new NoSuchAlgorithmException("Missing PSSParameterSpec for RSASSA-PSS algorithm");
+                }
                 if (!AlgorithmId.get(spec.getDigestAlgorithm()).equals(digAlgId)) {
                     throw new NoSuchAlgorithmException("Incompatible digest algorithm");
                 }

src/java.base/share/classes/sun/security/ssl/CertificateRequest.java

@@ -31,6 +31,7 @@ import java.security.PrivateKey;
 import java.security.cert.X509Certificate;
 import java.text.MessageFormat;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashSet;
@@ -44,6 +45,7 @@ import javax.security.auth.x500.X500Principal;
 import sun.security.ssl.CipherSuite.KeyExchange;
 import sun.security.ssl.SSLHandshake.HandshakeMessage;
 import sun.security.ssl.X509Authentication.X509Possession;
+import sun.security.ssl.X509Authentication.X509PossessionGenerator;
 
 /**
  * Pack of the CertificateRequest handshake message.
@@ -333,6 +335,16 @@ final class CertificateRequest {
 
             // clean up this consumer
             chc.handshakeConsumers.remove(SSLHandshake.CERTIFICATE_REQUEST.id);
+            chc.receivedCertReq = true;
+
+            // If we're processing this message and the server's certificate
+            // message consumer has not already run then this is a state
+            // machine violation.
+            if (chc.handshakeConsumers.containsKey(
+                    SSLHandshake.CERTIFICATE.id)) {
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                        "Unexpected CertificateRequest handshake message");
+            }
 
             SSLConsumer certStatCons = chc.handshakeConsumers.remove(
                     SSLHandshake.CERTIFICATE_STATUS.id);
@@ -659,6 +671,16 @@ final class CertificateRequest {
 
             // clean up this consumer
             chc.handshakeConsumers.remove(SSLHandshake.CERTIFICATE_REQUEST.id);
+            chc.receivedCertReq = true;
+
+            // If we're processing this message and the server's certificate
+            // message consumer has not already run then this is a state
+            // machine violation.
+            if (chc.handshakeConsumers.containsKey(
+                    SSLHandshake.CERTIFICATE.id)) {
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                        "Unexpected CertificateRequest handshake message");
+            }
 
             SSLConsumer certStatCons = chc.handshakeConsumers.remove(
                     SSLHandshake.CERTIFICATE_STATUS.id);
@@ -704,12 +726,11 @@ final class CertificateRequest {
             chc.handshakeSession.setPeerSupportedSignatureAlgorithms(sss);
             chc.peerSupportedAuthorities = crm.getAuthorities();
 
-            // For TLS 1.2, we no longer use the certificate_types field
+            // For TLS 1.2, we need to use a combination of the CR message's
-            // from the CertificateRequest message to directly determine
+            // allowed key types and the signature algorithms in order to
-            // the SSLPossession.  Instead, the choosePossession method
+            // find a certificate chain that has the right key and all certs
-            // will use the accepted signature schemes in the message to
+            // using one or more of the allowed cert signature schemes.
-            // determine the set of acceptable certificate types to select from.
+            SSLPossession pos = choosePossession(chc, crm);
-            SSLPossession pos = choosePossession(chc);
             if (pos == null) {
                 return;
             }
@@ -719,8 +740,8 @@ final class CertificateRequest {
                     SSLHandshake.CERTIFICATE_VERIFY);
         }
 
-        private static SSLPossession choosePossession(HandshakeContext hc)
+        private static SSLPossession choosePossession(HandshakeContext hc,
-                throws IOException {
+                T12CertificateRequestMessage crm) throws IOException {
             if (hc.peerRequestedCertSignSchemes == null ||
                     hc.peerRequestedCertSignSchemes.isEmpty()) {
                 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
@@ -730,6 +751,9 @@ final class CertificateRequest {
                 return null;
             }
 
+            // Put the CR key type into a more friendly format for searching
+            List<String> crKeyTypes = Arrays.asList(crm.getKeyTypes());
+
             Collection<String> checkedKeyTypes = new HashSet<>();
             for (SignatureScheme ss : hc.peerRequestedCertSignSchemes) {
                 if (checkedKeyTypes.contains(ss.keyAlgorithm)) {
@@ -756,7 +780,7 @@ final class CertificateRequest {
                     continue;
                 }
 
-                SSLAuthentication ka = X509Authentication.valueOf(ss);
+                X509Authentication ka = X509Authentication.valueOf(ss);
                 if (ka == null) {
                     if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                         SSLLogger.warning(
@@ -764,6 +788,25 @@ final class CertificateRequest {
                     }
                     checkedKeyTypes.add(ss.keyAlgorithm);
                     continue;
+                } else {
+                    // Any auth object will have a possession generator and
+                    // we need to make sure the key types for that generator
+                    // share at least one common algorithm with the CR's
+                    // allowed key types.
+                    if (ka.possessionGenerator instanceof
+                            X509PossessionGenerator xpg) {
+                        if (Collections.disjoint(crKeyTypes,
+                                Arrays.asList(xpg.keyTypes))) {
+                            if (SSLLogger.isOn &&
+                                    SSLLogger.isOn("ssl,handshake")) {
+                                SSLLogger.warning(
+                                        "Unsupported authentication scheme: " +
+                                                ss.name);
+                            }
+                            checkedKeyTypes.add(ss.keyAlgorithm);
+                            continue;
+                        }
+                    }
                 }
 
                 SSLPossession pos = ka.createPossession(hc);
@@ -926,6 +969,15 @@ final class CertificateRequest {
 
             // clean up this consumer
             chc.handshakeConsumers.remove(SSLHandshake.CERTIFICATE_REQUEST.id);
+            chc.receivedCertReq = true;
+
+            // Ensure that the CertificateRequest has not been sent prior
+            // to EncryptedExtensions
+            if (chc.handshakeConsumers.containsKey(
+                    SSLHandshake.ENCRYPTED_EXTENSIONS.id)) {
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                        "Unexpected CertificateRequest handshake message");
+            }
 
             T13CertificateRequestMessage crm =
                     new T13CertificateRequestMessage(chc, message);

src/java.base/share/classes/sun/security/ssl/ClientHandshakeContext.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -90,6 +90,11 @@ class ClientHandshakeContext extends HandshakeContext {
 
     ClientHelloMessage initialClientHelloMsg = null;
 
+    // Flag to indicate receipt of a CertificateRequest message from
+    // the server.  Because this is optional, we cannot guarantee
+    // the handshakeConsumers Map will always have it present there.
+    boolean receivedCertReq = false;
+
     // PSK identity is selected in first Hello and used again after HRR
     byte[] pskIdentity;
 

src/java.base/share/classes/sun/security/ssl/DTLSInputRecord.java

@@ -567,6 +567,9 @@ final class DTLSInputRecord extends InputRecord implements DTLSRecord {
 
         HashMap<Byte, List<HoleDescriptor>> holesMap;
 
+        // A map used to check duplicated handshake messages.
+        HashMap<Byte, Integer> messageSeqMap;
+
         HandshakeFlight() {
             this.handshakeType = HF_UNKNOWN;
             this.flightEpoch = 0;
@@ -577,6 +580,7 @@ final class DTLSInputRecord extends InputRecord implements DTLSRecord {
             this.maxRecordSeq = -1;
 
             this.holesMap = new HashMap<>(5);
+            this.messageSeqMap = new HashMap<>(5);
         }
 
         boolean isRetransmitOf(HandshakeFlight hs) {
@@ -598,6 +602,7 @@ final class DTLSInputRecord extends InputRecord implements DTLSRecord {
             hf.maxRecordSeq = this.maxRecordSeq;
 
             hf.holesMap = new HashMap<>(this.holesMap);
+            hf.messageSeqMap = new HashMap<>(this.messageSeqMap);
 
             return hf;
         }
@@ -640,7 +645,7 @@ final class DTLSInputRecord extends InputRecord implements DTLSRecord {
         }
 
         // Queue up a handshake message.
-        void queueUpHandshake(HandshakeFragment hsf) {
+        void queueUpHandshake(HandshakeFragment hsf) throws SSLProtocolException {
             if (!isDesirable(hsf)) {
                 // Not a dedired record, discard it.
                 return;
@@ -707,6 +712,7 @@ final class DTLSInputRecord extends InputRecord implements DTLSRecord {
                     holes.add(new HoleDescriptor(0, hsf.messageLength));
                 }
                 handshakeFlight.holesMap.put(hsf.handshakeType, holes);
+                handshakeFlight.messageSeqMap.put(hsf.handshakeType, hsf.messageSeq);
             } else if (holes.isEmpty()) {
                 // Have got the full handshake message.  This record may be
                 // a handshake message retransmission.  Discard this record.
@@ -778,7 +784,8 @@ final class DTLSInputRecord extends InputRecord implements DTLSRecord {
         }
 
         // Queue up a ChangeCipherSpec message
-        void queueUpChangeCipherSpec(RecordFragment rf) {
+        void queueUpChangeCipherSpec(RecordFragment rf)
+                throws SSLProtocolException {
             if (!isDesirable(rf)) {
                 // Not a dedired record, discard it.
                 return;
@@ -807,7 +814,7 @@ final class DTLSInputRecord extends InputRecord implements DTLSRecord {
         // Queue up a ciphertext message.
         //
         // Note: not yet be able to decrypt the message.
-        void queueUpFragment(RecordFragment rf) {
+        void queueUpFragment(RecordFragment rf) throws SSLProtocolException {
             if (!isDesirable(rf)) {
                 // Not a dedired record, discard it.
                 return;
@@ -895,7 +902,7 @@ final class DTLSInputRecord extends InputRecord implements DTLSRecord {
         // Is a desired record?
         //
         // Check for retransmission and lost records.
-        private boolean isDesirable(RecordFragment rf) {
+        private boolean isDesirable(RecordFragment rf) throws SSLProtocolException {
             //
             // Discard records old than the previous epoch.
             //
@@ -970,6 +977,25 @@ final class DTLSInputRecord extends InputRecord implements DTLSRecord {
                 return false;
             }
 
+            // Unexpected duplicated handshake messages.
+            if (rf.recordEpoch == handshakeEpoch &&
+                    // For handshake messages only.
+                    rf instanceof HandshakeFragment hsf &&
+                    // Check on the received handshake messages.
+                    handshakeFlight.holesMap.containsKey(hsf.handshakeType)) {
+                Integer cachedMsgSeq = handshakeFlight.messageSeqMap.get(
+                        hsf.handshakeType);
+                if (cachedMsgSeq != null && cachedMsgSeq != hsf.messageSeq) {
+                    // Handshake messages of the same type but with different
+                    // message sequence numbers are not allowed.
+                    throw new SSLProtocolException(
+                            "Two message sequence numbers are used for the "
+                          + "same handshake message ("
+                          + SSLHandshake.nameOf(hsf.handshakeType)
+                          + ")");
+                }
+            }
+
             return true;
         }
 
@@ -1086,6 +1112,9 @@ final class DTLSInputRecord extends InputRecord implements DTLSRecord {
             // cleanup holes map
             handshakeFlight.holesMap.clear();
 
+            // cleanup handshake message sequence numbers map
+            handshakeFlight.messageSeqMap.clear();
+
             // Ready to accept new input record.
             flightIsReady = false;
             needToCheckFlight = false;

src/java.base/share/classes/sun/security/ssl/ECDHClientKeyExchange.java

@@ -27,6 +27,7 @@ package sun.security.ssl;
 
 import java.io.IOException;
 import java.nio.ByteBuffer;
+import java.security.CryptoPrimitive;
 import java.security.GeneralSecurityException;
 import java.security.PublicKey;
 import java.security.interfaces.ECPublicKey;
@@ -35,6 +36,7 @@ import java.security.spec.AlgorithmParameterSpec;
 import java.security.spec.ECParameterSpec;
 import java.security.spec.NamedParameterSpec;
 import java.text.MessageFormat;
+import java.util.EnumSet;
 import java.util.Locale;
 import javax.crypto.SecretKey;
 import sun.security.ssl.SSLHandshake.HandshakeMessage;
@@ -317,12 +319,19 @@ final class ECDHClientKeyExchange {
 
             // create the credentials
             try {
-                NamedGroup ng = namedGroup;  // "effectively final" the lambda
+                SSLCredentials sslCredentials =
-                // AlgorithmConstraints are checked internally.
+                        namedGroup.decodeCredentials(cke.encodedPoint);
-                SSLCredentials sslCredentials = namedGroup.decodeCredentials(
+                if (shc.algorithmConstraints != null &&
-                        cke.encodedPoint, shc.algorithmConstraints,
+                        sslCredentials instanceof
-                        s -> shc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
+                            NamedGroupCredentials namedGroupCredentials) {
-                        "ClientKeyExchange " + ng + ": " + s));
+                    if (!shc.algorithmConstraints.permits(
+                            EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
+                            namedGroupCredentials.getPublicKey())) {
+                        shc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
+                            "ClientKeyExchange for " + namedGroup +
+                            " does not comply with algorithm constraints");
+                    }
+                }
 
                 shc.handshakeCredentials.add(sslCredentials);
             } catch (GeneralSecurityException e) {
@@ -497,12 +506,19 @@ final class ECDHClientKeyExchange {
 
             // create the credentials
             try {
-                NamedGroup ng = namedGroup; // "effectively final" the lambda
+                SSLCredentials sslCredentials =
-                // AlgorithmConstraints are checked internally.
+                        namedGroup.decodeCredentials(cke.encodedPoint);
-                SSLCredentials sslCredentials = namedGroup.decodeCredentials(
+                if (shc.algorithmConstraints != null &&
-                        cke.encodedPoint, shc.algorithmConstraints,
+                        sslCredentials instanceof
-                        s -> shc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
+                                NamedGroupCredentials namedGroupCredentials) {
-                        "ClientKeyExchange " + ng + ": " + s));
+                    if (!shc.algorithmConstraints.permits(
+                            EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
+                            namedGroupCredentials.getPublicKey())) {
+                        shc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
+                            "ClientKeyExchange for " + namedGroup +
+                            " does not comply with algorithm constraints");
+                    }
+                }
 
                 shc.handshakeCredentials.add(sslCredentials);
             } catch (GeneralSecurityException e) {

src/java.base/share/classes/sun/security/ssl/ECDHServerKeyExchange.java

@@ -27,6 +27,7 @@ package sun.security.ssl;
 
 import java.io.IOException;
 import java.nio.ByteBuffer;
+import java.security.CryptoPrimitive;
 import java.security.GeneralSecurityException;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.InvalidKeyException;
@@ -37,6 +38,7 @@ import java.security.PublicKey;
 import java.security.Signature;
 import java.security.SignatureException;
 import java.text.MessageFormat;
+import java.util.EnumSet;
 import java.util.Locale;
 import java.util.Map;
 import sun.security.ssl.SSLHandshake.HandshakeMessage;
@@ -214,10 +216,19 @@ final class ECDHServerKeyExchange {
             }
 
             try {
-                sslCredentials = namedGroup.decodeCredentials(
+                sslCredentials =
-                    publicPoint, handshakeContext.algorithmConstraints,
+                        namedGroup.decodeCredentials(publicPoint);
-                     s -> chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
+                if (handshakeContext.algorithmConstraints != null &&
-                     "ServerKeyExchange " + namedGroup + ": " + (s)));
+                        sslCredentials instanceof
+                                NamedGroupCredentials namedGroupCredentials) {
+                    if (!handshakeContext.algorithmConstraints.permits(
+                            EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
+                            namedGroupCredentials.getPublicKey())) {
+                        chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
+                            "ServerKeyExchange for " + namedGroup +
+                            " does not comply with algorithm constraints");
+                    }
+                }
             } catch (GeneralSecurityException ex) {
                 throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                         "Cannot decode named group: " +

src/java.base/share/classes/sun/security/ssl/HelloCookieManager.java

@@ -208,7 +208,7 @@ abstract class HelloCookieManager {
             byte[] target = md.digest(secret);      // 32 bytes
             target[0] = cookie[0];
 
-            return Arrays.equals(target, cookie);
+            return MessageDigest.isEqual(target, cookie);
         }
     }
 
@@ -361,7 +361,7 @@ abstract class HelloCookieManager {
             md.update(headerBytes);
             byte[] headerCookie = md.digest(secret);
 
-            if (!Arrays.equals(headerCookie, prevHeadCookie)) {
+            if (!MessageDigest.isEqual(headerCookie, prevHeadCookie)) {
                 return false;
             }
 

src/java.base/share/classes/sun/security/ssl/KeyShareExtension.java

@@ -27,6 +27,7 @@ package sun.security.ssl;
 
 import java.io.IOException;
 import java.nio.ByteBuffer;
+import java.security.CryptoPrimitive;
 import java.security.GeneralSecurityException;
 import java.text.MessageFormat;
 import java.util.Collections;
@@ -349,7 +350,8 @@ final class KeyShareExtension {
                 NamedGroup ng = NamedGroup.valueOf(entry.namedGroupId);
                 if (ng == null || !SupportedGroups.isActivatable(
                         shc.algorithmConstraints, ng)) {
-                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    if (SSLLogger.isOn &&
+                            SSLLogger.isOn("ssl,handshake")) {
                         SSLLogger.fine(
                                 "Ignore unsupported named group: " +
                                 NamedGroup.nameOf(entry.namedGroupId));
@@ -359,16 +361,33 @@ final class KeyShareExtension {
 
                 try {
                     SSLCredentials kaCred =
-                        ng.decodeCredentials(entry.keyExchange,
+                        ng.decodeCredentials(entry.keyExchange);
-                        shc.algorithmConstraints,
+                    if (shc.algorithmConstraints != null &&
-                        s -> SSLLogger.warning(s));
+                            kaCred instanceof
+                                NamedGroupCredentials namedGroupCredentials) {
+                        if (!shc.algorithmConstraints.permits(
+                                EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
+                                namedGroupCredentials.getPublicKey())) {
+                            if (SSLLogger.isOn &&
+                                    SSLLogger.isOn("ssl,handshake")) {
+                                SSLLogger.warning(
+                                    "key share entry of " + ng + " does not " +
+                                    " comply with algorithm constraints");
+                            }
+
+                            kaCred = null;
+                        }
+                    }
+
                     if (kaCred != null) {
                         credentials.add(kaCred);
                     }
                 } catch (GeneralSecurityException ex) {
-                    SSLLogger.warning(
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
-                        "Cannot decode named group: " +
+                        SSLLogger.warning(
-                        NamedGroup.nameOf(entry.namedGroupId));
+                                "Cannot decode named group: " +
+                                NamedGroup.nameOf(entry.namedGroupId));
+                    }
                 }
             }
 
@@ -646,9 +665,20 @@ final class KeyShareExtension {
 
             SSLCredentials credentials = null;
             try {
-                SSLCredentials kaCred = ng.decodeCredentials(
+                SSLCredentials kaCred =
-                    keyShare.keyExchange, chc.algorithmConstraints,
+                        ng.decodeCredentials(keyShare.keyExchange);
-                    s -> chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, s));
+                if (chc.algorithmConstraints != null &&
+                        kaCred instanceof
+                                NamedGroupCredentials namedGroupCredentials) {
+                    if (!chc.algorithmConstraints.permits(
+                            EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
+                            namedGroupCredentials.getPublicKey())) {
+                        chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
+                            "key share entry of " + ng + " does not " +
+                            " comply with algorithm constraints");
+                    }
+                }
+
                 if (kaCred != null) {
                     credentials = kaCred;
                 }

src/java.base/share/classes/sun/security/ssl/NamedGroup.java

@@ -419,12 +419,9 @@ enum NamedGroup {
         return spec.encodePossessionPublicKey(namedGroupPossession);
     }
 
-    SSLCredentials decodeCredentials(byte[] encoded,
+    SSLCredentials decodeCredentials(
-            AlgorithmConstraints constraints,
+            byte[] encoded) throws IOException, GeneralSecurityException {
-            ExceptionSupplier onConstraintFail)
+        return spec.decodeCredentials(this, encoded);
-            throws IOException, GeneralSecurityException {
-        return spec.decodeCredentials(
-                this, encoded, constraints, onConstraintFail);
     }
 
     SSLPossession createPossession(SecureRandom random) {
@@ -436,30 +433,13 @@ enum NamedGroup {
         return spec.createKeyDerivation(hc);
     }
 
-    interface ExceptionSupplier {
-        void apply(String s) throws SSLException;
-    }
-
     // A list of operations related to named groups.
     private interface NamedGroupScheme {
-        default void checkConstraints(PublicKey publicKey,
-                AlgorithmConstraints constraints,
-                ExceptionSupplier onConstraintFail) throws SSLException {
-            if (!constraints.permits(
-                    EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), publicKey)) {
-                onConstraintFail.apply("key share entry does not "
-                        + "comply with algorithm constraints");
-            }
-        }
-
         byte[] encodePossessionPublicKey(
                 NamedGroupPossession namedGroupPossession);
 
-        SSLCredentials decodeCredentials(
+        SSLCredentials decodeCredentials(NamedGroup ng,
-                NamedGroup ng, byte[] encoded,
+                byte[] encoded) throws IOException, GeneralSecurityException;
-                AlgorithmConstraints constraints,
-                ExceptionSupplier onConstraintFail
-            ) throws IOException, GeneralSecurityException;
 
         SSLPossession createPossession(NamedGroup ng, SecureRandom random);
 
@@ -524,13 +504,10 @@ enum NamedGroup {
         }
 
         @Override
-        public SSLCredentials decodeCredentials(NamedGroup ng, byte[] encoded,
+        public SSLCredentials decodeCredentials(NamedGroup ng,
-                    AlgorithmConstraints constraints,
+                byte[] encoded) throws IOException, GeneralSecurityException {
-                    ExceptionSupplier onConstraintFail
-                ) throws IOException, GeneralSecurityException {
             if (scheme != null) {
-                return scheme.decodeCredentials(
+                return scheme.decodeCredentials(ng, encoded);
-                        ng, encoded, constraints, onConstraintFail);
             }
 
             return null;
@@ -567,18 +544,9 @@ enum NamedGroup {
         }
 
         @Override
-        public SSLCredentials decodeCredentials(NamedGroup ng, byte[] encoded,
+        public SSLCredentials decodeCredentials(NamedGroup ng,
-                AlgorithmConstraints constraints,
+                byte[] encoded) throws IOException, GeneralSecurityException {
-                ExceptionSupplier onConstraintFail
+            return DHKeyExchange.DHECredentials.valueOf(ng, encoded);
-            ) throws IOException, GeneralSecurityException {
-
-            DHKeyExchange.DHECredentials result
-                    = DHKeyExchange.DHECredentials.valueOf(ng, encoded);
-
-            checkConstraints(result.getPublicKey(), constraints,
-                    onConstraintFail);
-
-            return result;
         }
 
         @Override
@@ -605,18 +573,9 @@ enum NamedGroup {
         }
 
         @Override
-        public SSLCredentials decodeCredentials(NamedGroup ng, byte[] encoded,
+        public SSLCredentials decodeCredentials(NamedGroup ng,
-                AlgorithmConstraints constraints,
+                byte[] encoded) throws IOException, GeneralSecurityException {
-                ExceptionSupplier onConstraintFail
+            return ECDHKeyExchange.ECDHECredentials.valueOf(ng, encoded);
-            ) throws IOException, GeneralSecurityException {
-
-            ECDHKeyExchange.ECDHECredentials result
-                    = ECDHKeyExchange.ECDHECredentials.valueOf(ng, encoded);
-
-            checkConstraints(result.getPublicKey(), constraints,
-                    onConstraintFail);
-
-            return result;
         }
 
         @Override
@@ -641,18 +600,9 @@ enum NamedGroup {
         }
 
         @Override
-        public SSLCredentials decodeCredentials(NamedGroup ng, byte[] encoded,
+        public SSLCredentials decodeCredentials(NamedGroup ng,
-                AlgorithmConstraints constraints,
+                byte[] encoded) throws IOException, GeneralSecurityException {
-                ExceptionSupplier onConstraintFail
+            return XDHKeyExchange.XDHECredentials.valueOf(ng, encoded);
-            ) throws IOException, GeneralSecurityException {
-
-            XDHKeyExchange.XDHECredentials result
-                    = XDHKeyExchange.XDHECredentials.valueOf(ng, encoded);
-
-            checkConstraints(result.getPublicKey(), constraints,
-                    onConstraintFail);
-
-            return result;
         }
 
         @Override

src/java.base/share/classes/sun/security/ssl/PreSharedKeyExtension.java

@@ -31,7 +31,6 @@ import java.text.MessageFormat;
 import java.util.List;
 import java.util.ArrayList;
 import java.util.Locale;
-import java.util.Arrays;
 import java.util.Collection;
 import javax.crypto.Mac;
 import javax.crypto.SecretKey;
@@ -569,7 +568,7 @@ final class PreSharedKeyExtension {
         SecretKey binderKey = deriveBinderKey(shc, psk, session);
         byte[] computedBinder =
                 computeBinder(shc, binderKey, session, pskBinderHash);
-        if (!Arrays.equals(binder, computedBinder)) {
+        if (!MessageDigest.isEqual(binder, computedBinder)) {
             throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
                     "Incorect PSK binder value");
         }

src/java.base/share/classes/sun/security/ssl/RandomCookie.java

@@ -25,10 +25,12 @@
 
 package sun.security.ssl;
 
+import sun.security.util.ByteArrays;
+
 import java.io.*;
 import java.nio.ByteBuffer;
+import java.security.MessageDigest;
 import java.security.SecureRandom;
-import java.util.Arrays;
 
 /*
  * RandomCookie ... SSL hands standard format random cookies (nonces)
@@ -111,7 +113,7 @@ final class RandomCookie {
     }
 
     boolean isHelloRetryRequest() {
-        return Arrays.equals(hrrRandomBytes, randomBytes);
+        return MessageDigest.isEqual(hrrRandomBytes, randomBytes);
     }
 
     // Used for client random validation of version downgrade protection.
@@ -130,10 +132,10 @@ final class RandomCookie {
     }
 
     private boolean isT12Downgrade() {
-        return Arrays.equals(randomBytes, 24, 32, t12Protection, 0, 8);
+        return ByteArrays.isEqual(randomBytes, 24, 32, t12Protection, 0, 8);
     }
 
     private boolean isT11Downgrade() {
-        return Arrays.equals(randomBytes, 24, 32, t11Protection, 0, 8);
+        return ByteArrays.isEqual(randomBytes, 24, 32, t11Protection, 0, 8);
     }
 }

src/java.base/share/classes/sun/security/ssl/RenegoInfoExtension.java

@@ -27,6 +27,7 @@ package sun.security.ssl;
 
 import java.io.IOException;
 import java.nio.ByteBuffer;
+import java.security.MessageDigest;
 import java.text.MessageFormat;
 import java.util.Arrays;
 import java.util.Locale;
@@ -37,6 +38,7 @@ import sun.security.ssl.SSLExtension.ExtensionConsumer;
 import static sun.security.ssl.SSLExtension.SH_RENEGOTIATION_INFO;
 import sun.security.ssl.SSLExtension.SSLExtensionSpec;
 import sun.security.ssl.SSLHandshake.HandshakeMessage;
+import sun.security.util.ByteArrays;
 
 /**
  * Pack of the "renegotiation_info" extensions [RFC 5746].
@@ -239,7 +241,7 @@ final class RenegoInfoExtension {
                             "renegotiation");
                 } else {
                     // verify the client_verify_data value
-                    if (!Arrays.equals(shc.conContext.clientVerifyData,
+                    if (!MessageDigest.isEqual(shc.conContext.clientVerifyData,
                             spec.renegotiatedConnection)) {
                         throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
                             "Invalid renegotiation_info extension data: " +
@@ -459,14 +461,14 @@ final class RenegoInfoExtension {
                 }
 
                 byte[] cvd = chc.conContext.clientVerifyData;
-                if (!Arrays.equals(spec.renegotiatedConnection,
+                if (!ByteArrays.isEqual(spec.renegotiatedConnection,
                         0, cvd.length, cvd, 0, cvd.length)) {
                     throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Invalid renegotiation_info in ServerHello: " +
                         "unmatched client_verify_data value");
                 }
                 byte[] svd = chc.conContext.serverVerifyData;
-                if (!Arrays.equals(spec.renegotiatedConnection,
+                if (!ByteArrays.isEqual(spec.renegotiatedConnection,
                         cvd.length, infoLen, svd, 0, svd.length)) {
                     throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "Invalid renegotiation_info in ServerHello: " +

src/java.base/share/classes/sun/security/ssl/SSLLogger.java

@@ -184,7 +184,7 @@ public final class SSLLogger {
     }
 
     private static void log(Level level, String msg, Object... params) {
-        if (logger.isLoggable(level)) {
+        if (logger != null && logger.isLoggable(level)) {
             if (params == null || params.length == 0) {
                 logger.log(level, msg);
             } else {

src/java.base/share/classes/sun/security/ssl/ServerKeyExchange.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -92,6 +92,17 @@ final class ServerKeyExchange {
             // clean up this consumer
             chc.handshakeConsumers.remove(SSLHandshake.SERVER_KEY_EXCHANGE.id);
 
+            // Any receipt/consumption of the CertificateRequest before
+            // ServerKeyExchange is a state machine violation.  We may not
+            // know for sure if an early CR message is a violation though until
+            // we have reached this point, due to other TLS features and
+            // optional messages.
+            if (chc.receivedCertReq) {
+                chc.receivedCertReq = false;    // Reset flag
+                throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                        "Unexpected ServerKeyExchange handshake message");
+            }
+
             SSLConsumer certStatCons = chc.handshakeConsumers.remove(
                     SSLHandshake.CERTIFICATE_STATUS.id);
             if (certStatCons != null) {

src/java.base/share/classes/sun/security/ssl/SessionId.java

@@ -25,6 +25,7 @@
 
 package sun.security.ssl;
 
+import java.security.MessageDigest;
 import java.security.SecureRandom;
 import java.util.Arrays;
 import javax.net.ssl.SSLProtocolException;
@@ -89,7 +90,7 @@ final class SessionId {
 
         if (obj instanceof SessionId) {
             SessionId that = (SessionId)obj;
-            return Arrays.equals(this.sessionId, that.sessionId);
+            return MessageDigest.isEqual(this.sessionId, that.sessionId);
         }
 
         return false;

src/java.base/share/classes/sun/security/ssl/X509Authentication.java

@@ -194,9 +194,9 @@ enum X509Authentication implements SSLAuthentication {
         }
     }
 
-    private static final
+    static final class X509PossessionGenerator
-            class X509PossessionGenerator implements SSLPossessionGenerator {
+                implements SSLPossessionGenerator {
-        private final String[] keyTypes;
+        final String[] keyTypes;
 
         private X509PossessionGenerator(String[] keyTypes) {
             this.keyTypes = keyTypes;

src/java.base/share/classes/sun/security/tools/keytool/CertAndKeyGen.java

@@ -32,7 +32,10 @@ import java.security.cert.CertificateEncodingException;
 import java.security.*;
 import java.security.spec.ECGenParameterSpec;
 import java.security.spec.NamedParameterSpec;
+import java.util.Calendar;
 import java.util.Date;
+import java.util.GregorianCalendar;
+import java.util.TimeZone;
 
 import sun.security.pkcs10.PKCS10;
 import sun.security.util.SignatureUtil;
@@ -304,6 +307,12 @@ public final class CertAndKeyGen {
         try {
             lastDate = new Date ();
             lastDate.setTime (firstDate.getTime () + validity * 1000);
+            Calendar c = new GregorianCalendar(TimeZone.getTimeZone("UTC"));
+            c.setTime(lastDate);
+            if (c.get(Calendar.YEAR) > 9999) {
+                throw new CertificateException("Validity period ends at calendar year " +
+                        c.get(Calendar.YEAR) + " which is greater than 9999");
+            }
 
             CertificateValidity interval =
                                    new CertificateValidity(firstDate,lastDate);

src/java.base/share/classes/sun/security/tools/keytool/Main.java

@@ -1445,8 +1445,7 @@ public final class Main {
                                            X509CertInfo.DN_NAME);
 
         Date firstDate = getStartDate(startDate);
-        Date lastDate = new Date();
+        Date lastDate = getLastDate(firstDate, validity);
-        lastDate.setTime(firstDate.getTime() + validity*1000L*24L*60L*60L);
         CertificateValidity interval = new CertificateValidity(firstDate,
                                                                lastDate);
 
@@ -1560,12 +1559,10 @@ public final class Main {
                                                       X509CertInfo.DN_NAME);
 
         Date firstDate = getStartDate(startDate);
-        Date lastDate = (Date) firstDate.clone();
+        Date lastDate = getLastDate(firstDate, validity);
-        lastDate.setTime(lastDate.getTime() + validity*1000*24*60*60);
         CertificateValidity interval = new CertificateValidity(firstDate,
                                                                lastDate);
 
-
         PrivateKey privateKey =
                 (PrivateKey)recoverKey(alias, storePass, keyPass).fst;
         if (sigAlgName == null) {
@@ -3033,8 +3030,7 @@ public final class Main {
 
         // Extend its validity
         Date firstDate = getStartDate(startDate);
-        Date lastDate = new Date();
+        Date lastDate = getLastDate(firstDate, validity);
-        lastDate.setTime(firstDate.getTime() + validity*1000L*24L*60L*60L);
         CertificateValidity interval = new CertificateValidity(firstDate,
                                                                lastDate);
         certInfo.set(X509CertInfo.VALIDITY, interval);
@@ -4695,6 +4691,21 @@ public final class Main {
         return result;
     }
 
+    private Date getLastDate(Date firstDate, long validity)
+            throws Exception {
+        Date lastDate = new Date();
+        lastDate.setTime(firstDate.getTime() + validity*1000L*24L*60L*60L);
+
+        Calendar c = new GregorianCalendar(TimeZone.getTimeZone("UTC"));
+        c.setTime(lastDate);
+        if (c.get(Calendar.YEAR) > 9999) {
+            throw new Exception("Validity period ends at calendar year " +
+                    c.get(Calendar.YEAR) + " which is greater than 9999");
+        }
+
+        return lastDate;
+    }
+
     private boolean isTrustedCert(Certificate cert) throws KeyStoreException {
         if (caks != null && caks.getCertificateAlias(cert) != null) {
             return true;

src/java.base/share/classes/sun/security/util/ByteArrays.java

@@ -0,0 +1,67 @@
+/*
+ * Copyright (c) 2021, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.util;
+
+/**
+ * A time-instance comparison of two byte arrays.
+ */
+public class ByteArrays {
+    // See the MessageDigest.isEqual(byte[] digesta, byte[] digestb)
+    // implementation.  This is a potential enhancement of the
+    // MessageDigest class.
+    public static boolean isEqual(byte[] a, int aFromIndex, int aToIndex,
+                                 byte[] b, int bFromIndex, int bToIndex) {
+        if (a == b) {
+            return true;
+        }
+
+        if (a == null || b == null) {
+            return false;
+        }
+
+        if (a.length == 0) {
+            return b.length == 0;
+        }
+
+        int lenA = aToIndex - aFromIndex;
+        int lenB = bToIndex - bFromIndex;
+
+        if (lenB == 0) {
+            return lenA == 0;
+        }
+
+        int result = 0;
+        result |= lenA - lenB;
+
+        // time-constant comparison
+        for (int indexA = 0; indexA < lenA; indexA++) {
+            int indexB = ((indexA - lenB) >>> 31) * indexA;
+            result |= a[aFromIndex + indexA] ^ b[bFromIndex + indexB];
+        }
+
+        return result == 0;
+    }
+}

src/java.base/share/classes/sun/security/util/DerIndefLenConverter.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -31,9 +31,12 @@ import java.util.ArrayList;
 import java.util.Arrays;
 
 /**
- * A package private utility class to convert indefinite length DER
+ * A package private utility class to convert indefinite length BER
  * encoded byte arrays to definite length DER encoded byte arrays.
- *
+ * <p>
+ * Note: This class only substitute indefinite length octets to definite
+ * length octets. It does not update the contents even if they are not DER.
+ * <p>
  * This assumes that the basic data structure is "tag, length, value"
  * triplet. In the case where the length is "indefinite", terminating
  * end-of-contents bytes are expected.
@@ -42,26 +45,30 @@ import java.util.Arrays;
  */
 class DerIndefLenConverter {
 
-    private static final int TAG_MASK            = 0x1f; // bits 5-1
-    private static final int FORM_MASK           = 0x20; // bits 6
-    private static final int CLASS_MASK          = 0xC0; // bits 8 and 7
-
     private static final int LEN_LONG            = 0x80; // bit 8 set
     private static final int LEN_MASK            = 0x7f; // bits 7 - 1
-    private static final int SKIP_EOC_BYTES      = 2;
 
     private byte[] data, newData;
     private int newDataPos, dataPos, dataSize, index;
     private int unresolved = 0;
 
+    // A list to store each indefinite length occurrence. Whenever an indef
+    // length is seen, the position after the 0x80 byte is appended to the
+    // list as an integer. Whenever its matching EOC is seen, we know the
+    // actual length and the position value is substituted with a calculated
+    // length octets. At the end, the new DER encoding is a concatenation of
+    // all existing tags, existing definite length octets, existing contents,
+    // and the newly created definte length octets in this list.
     private ArrayList<Object> ndefsList = new ArrayList<Object>();
 
+    // Length of extra bytes needed to convert indefinite encoding to definite.
+    // For each resolved indefinite length encoding, the starting 0x80 byte
+    // and the ending 00 00 bytes will be removed and a new definite length
+    // octets will be added. This value might be positive or negative.
     private int numOfTotalLenBytes = 0;
 
-    private boolean isEOC(int tag) {
+    private static boolean isEOC(byte[] data, int pos) {
-        return (((tag & TAG_MASK) == 0x00) &&  // EOC
+        return data[pos] == 0 && data[pos + 1] == 0;
-                ((tag & FORM_MASK) == 0x00) && // primitive
-                ((tag & CLASS_MASK) == 0x00)); // universal
     }
 
     // if bit 8 is set then it implies either indefinite length or long form
@@ -70,9 +77,9 @@ class DerIndefLenConverter {
     }
 
     /*
-     * Default package private constructor
+     * Private constructor
      */
-    DerIndefLenConverter() { }
+    private DerIndefLenConverter() { }
 
     /**
      * Checks whether the given length byte is of the form
@@ -88,11 +95,14 @@ class DerIndefLenConverter {
     }
 
     /**
-     * Parse the tag and if it is an end-of-contents tag then
+     * Consumes the tag at {@code dataPos}.
-     * add the current position to the <code>eocList</code> vector.
+     * <p>
+     * If it is EOC then replace the matching start position (i.e. the previous
+     * {@code dataPos} where an indefinite length was found by #parseLength)
+     * in {@code ndefsList} with a length octets for this section.
      */
     private void parseTag() throws IOException {
-        if (isEOC(data[dataPos]) && (data[dataPos + 1] == 0)) {
+        if (isEOC(data, dataPos)) {
             int numOfEncapsulatedLenBytes = 0;
             Object elem = null;
             int index;
@@ -103,6 +113,9 @@ class DerIndefLenConverter {
                 if (elem instanceof Integer) {
                     break;
                 } else {
+                    // For each existing converted part, 3 bytes (80 at the
+                    // beginning and 00 00 at the end) are removed and a
+                    // new length octets is added.
                     numOfEncapsulatedLenBytes += ((byte[])elem).length - 3;
                 }
             }
@@ -114,6 +127,7 @@ class DerIndefLenConverter {
                              numOfEncapsulatedLenBytes;
             byte[] sectionLenBytes = getLengthBytes(sectionLen);
             ndefsList.set(index, sectionLenBytes);
+            assert unresolved > 0;
             unresolved--;
 
             // Add the number of bytes required to represent this section
@@ -130,34 +144,41 @@ class DerIndefLenConverter {
      * then skip the tag and its 1 byte length of zero.
      */
     private void writeTag() {
-        if (dataPos == dataSize)
+        if (dataPos == dataSize) {
             return;
-        int tag = data[dataPos++];
+        }
-        if (isEOC(tag) && (data[dataPos] == 0)) {
+        assert dataPos + 1 < dataSize;
-            dataPos++;  // skip length
+        if (isEOC(data, dataPos)) {
+            dataPos += 2;  // skip tag and length
             writeTag();
-        } else
+        } else {
-            newData[newDataPos++] = (byte)tag;
+            newData[newDataPos++] = data[dataPos++];
+        }
     }
 
     /**
-     * Parse the length and if it is an indefinite length then add
+     * Parse the length octets started at {@code dataPos}. After this method
-     * the current position to the <code>ndefsList</code> vector.
+     * is called, {@code dataPos} is placed after the length octets except
+     * -1 is returned.
      *
-     * @return the length of definite length data next, or -1 if there is
+     * @return a) the length of definite length data next
-     *         not enough bytes to determine it
+     *         b) -1, if it is a definite length data next but the length
+     *            octets is not complete to determine the actual length
+     *         c) 0, if it is an indefinite length. Also, append the current
+     *            position to the {@code ndefsList} vector.
      * @throws IOException if invalid data is read
      */
     private int parseLength() throws IOException {
-        int curLen = 0;
+        if (dataPos == dataSize) {
-        if (dataPos == dataSize)
+            return 0;
-            return curLen;
+        }
         int lenByte = data[dataPos++] & 0xff;
         if (isIndefinite(lenByte)) {
             ndefsList.add(dataPos);
             unresolved++;
-            return curLen;
+            return 0;
         }
+        int curLen = 0;
         if (isLongForm(lenByte)) {
             lenByte &= LEN_MASK;
             if (lenByte > 4) {
@@ -179,14 +200,17 @@ class DerIndefLenConverter {
     }
 
     /**
-     * Write the length and if it is an indefinite length
+     * Write the length and value.
-     * then calculate the definite length from the positions
+     * <p>
-     * of the indefinite length and its matching EOC terminator.
+     * If it was definite length, just re-write the length and copy the value.
-     * Then, write the value.
+     * If it was an indefinite length, copy the precalculated definite octets
+     * from {@code ndefsList}. There is no values here because they will be
+     * sub-encodings of a constructed encoding.
      */
     private void writeLengthAndValue() throws IOException {
-        if (dataPos == dataSize)
+        if (dataPos == dataSize) {
-           return;
+            return;
+        }
         int curLen = 0;
         int lenByte = data[dataPos++] & 0xff;
         if (isIndefinite(lenByte)) {
@@ -194,21 +218,21 @@ class DerIndefLenConverter {
             System.arraycopy(lenBytes, 0, newData, newDataPos,
                              lenBytes.length);
             newDataPos += lenBytes.length;
-            return;
-        }
-        if (isLongForm(lenByte)) {
-            lenByte &= LEN_MASK;
-            for (int i = 0; i < lenByte; i++) {
-                curLen = (curLen << 8) + (data[dataPos++] & 0xff);
-            }
-            if (curLen < 0) {
-                throw new IOException("Invalid length bytes");
-            }
         } else {
-            curLen = (lenByte & LEN_MASK);
+            if (isLongForm(lenByte)) {
+                lenByte &= LEN_MASK;
+                for (int i = 0; i < lenByte; i++) {
+                    curLen = (curLen << 8) + (data[dataPos++] & 0xff);
+                }
+                if (curLen < 0) {
+                    throw new IOException("Invalid length bytes");
+                }
+            } else {
+                curLen = (lenByte & LEN_MASK);
+            }
+            writeLength(curLen);
+            writeValue(curLen);
         }
-        writeLength(curLen);
-        writeValue(curLen);
     }
 
     private void writeLength(int curLen) {
@@ -296,19 +320,13 @@ class DerIndefLenConverter {
         return numOfLenBytes;
     }
 
-    /**
-     * Parse the value;
-     */
-    private void parseValue(int curLen) {
-        dataPos += curLen;
-    }
-
     /**
      * Write the value;
      */
     private void writeValue(int curLen) {
-        for (int i=0; i < curLen; i++)
+        System.arraycopy(data, dataPos, newData, newDataPos, curLen);
-            newData[newDataPos++] = data[dataPos++];
+        dataPos += curLen;
+        newDataPos += curLen;
     }
 
     /**
@@ -323,10 +341,8 @@ class DerIndefLenConverter {
      */
     byte[] convertBytes(byte[] indefData) throws IOException {
         data = indefData;
-        dataPos=0; index=0;
+        dataPos = 0;
         dataSize = data.length;
-        int len=0;
-        int unused = 0;
 
         // parse and set up the vectors of all the indefinite-lengths
         while (dataPos < dataSize) {
@@ -335,14 +351,17 @@ class DerIndefLenConverter {
                 return null;
             }
             parseTag();
-            len = parseLength();
+            int len = parseLength();
             if (len < 0) {
                 return null;
             }
-            parseValue(len);
+            dataPos += len;
+            if (dataPos < 0) {
+                // overflow
+                throw new IOException("Data overflow");
+            }
             if (unresolved == 0) {
-                unused = dataSize - dataPos;
+                assert !ndefsList.isEmpty() && ndefsList.get(0) instanceof byte[];
-                dataSize = dataPos;
                 break;
             }
         }
@@ -351,14 +370,18 @@ class DerIndefLenConverter {
             return null;
         }
 
+        int unused = dataSize - dataPos;
+        assert unused >= 0;
+        dataSize = dataPos;
+
         newData = new byte[dataSize + numOfTotalLenBytes + unused];
-        dataPos=0; newDataPos=0; index=0;
+        dataPos = 0; newDataPos = 0; index = 0;
 
         // write out the new byte array replacing all the indefinite-lengths
         // and EOCs
         while (dataPos < dataSize) {
-           writeTag();
+            writeTag();
-           writeLengthAndValue();
+            writeLengthAndValue();
         }
         System.arraycopy(indefData, dataSize,
                          newData, dataSize + numOfTotalLenBytes, unused);
@@ -395,7 +418,7 @@ class DerIndefLenConverter {
             if (result == null) {
                 int next = in.read(); // This could block, but we need more
                 if (next == -1) {
-                    throw new IOException("not all indef len BER resolved");
+                    throw new IOException("not enough data to resolve indef len BER");
                 }
                 int more = in.available();
                 // expand array to include next and more

src/java.base/share/classes/sun/security/util/ManifestDigester.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -331,8 +331,12 @@ public class ManifestDigester {
      * @see #MF_MAIN_ATTRS
      */
     public Entry getMainAttsEntry(boolean oldStyle) {
-        mainAttsEntry.oldStyle = oldStyle;
+        if (mainAttsEntry != null) {
-        return mainAttsEntry;
+            mainAttsEntry.oldStyle = oldStyle;
+            return mainAttsEntry;
+        } else {
+            return null;
+        }
     }
 
     public Entry get(String name) {

src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java

@@ -543,6 +543,10 @@ public class SignatureFileVerifier {
                 MessageDigest digest = getDigest(algorithm);
                 if (digest != null) {
                     ManifestDigester.Entry mde = md.getMainAttsEntry(false);
+                    if (mde == null) {
+                        throw new SignatureException("Manifest Main Attribute check " +
+                                "failed due to missing main attributes entry");
+                    }
                     byte[] computedHash = mde.digest(digest);
                     byte[] expectedHash =
                         Base64.getMimeDecoder().decode((String)se.getValue());

src/java.desktop/macosx/classes/sun/lwawt/macosx/CPrinterJob.java

@@ -33,6 +33,7 @@ import java.awt.print.*;
 import java.net.URI;
 import java.security.AccessController;
 import java.security.PrivilegedAction;
+import java.util.concurrent.atomic.AtomicReference;
 
 import javax.print.*;
 import javax.print.attribute.PrintRequestAttributeSet;
@@ -60,6 +61,7 @@ public final class CPrinterJob extends RasterPrinterJob {
     private static String sShouldNotReachHere = "Should not reach here.";
 
     private volatile SecondaryLoop printingLoop;
+    private AtomicReference<Throwable> printErrorRef = new AtomicReference<>();
 
     private boolean noDefaultPrinter = false;
 
@@ -323,6 +325,7 @@ public final class CPrinterJob extends RasterPrinterJob {
                 performingPrinting = true;
                 userCancelled = false;
             }
+            printErrorRef.set(null);
 
             //Add support for PageRange
             PageRanges pr = (attributes == null) ?  null
@@ -381,6 +384,15 @@ public final class CPrinterJob extends RasterPrinterJob {
             if (printingLoop != null) {
                 printingLoop.exit();
             }
+
+            Throwable printError = printErrorRef.getAndSet(null);
+            if (printError != null) {
+                if (printError instanceof PrinterException) {
+                    throw (PrinterException) printError;
+                }
+                throw (PrinterException)
+                    new PrinterException().initCause(printError);
+            }
         }
 
         // Normalize the collated, # copies, numPages, first/last pages. Need to
@@ -786,22 +798,36 @@ public final class CPrinterJob extends RasterPrinterJob {
     private Rectangle2D printAndGetPageFormatArea(final Printable printable, final Graphics graphics, final PageFormat pageFormat, final int pageIndex) {
         final Rectangle2D[] ret = new Rectangle2D[1];
 
-        Runnable r = new Runnable() { public void run() { synchronized(ret) {
+        Runnable r = new Runnable() {
-            try {
+            @Override
-                int pageResult = printable.print(graphics, pageFormat, pageIndex);
+            public void run() {
-                if (pageResult != Printable.NO_SUCH_PAGE) {
+                synchronized (ret) {
-                    ret[0] = getPageFormatArea(pageFormat);
+                    try {
+                        int pageResult = printable.print(
+                            graphics, pageFormat, pageIndex);
+                        if (pageResult != Printable.NO_SUCH_PAGE) {
+                            ret[0] = getPageFormatArea(pageFormat);
+                        }
+                    } catch (Throwable t) {
+                        printErrorRef.compareAndSet(null, t);
+                    }
                 }
-            } catch (Exception e) {} // Original code bailed on any exception
+            }
-        }}};
+        };
 
         if (onEventThread) {
-            try { EventQueue.invokeAndWait(r); } catch (Exception e) { e.printStackTrace(); }
+            try {
+                EventQueue.invokeAndWait(r);
+            } catch (Throwable t) {
+                printErrorRef.compareAndSet(null, t);
+            }
         } else {
             r.run();
         }
 
-        synchronized(ret) { return ret[0]; }
+        synchronized (ret) {
+            return ret[0];
+        }
     }
 
     // upcall from native

src/java.desktop/share/classes/com/sun/imageio/plugins/bmp/BMPImageReader.java

@@ -591,6 +591,13 @@ public class BMPImageReader extends ImageReader implements BMPConstants {
             height = Math.abs(height);
         }
 
+        if (metadata.compression == BI_RGB) {
+            long imageDataSize = (width * height * (bitsPerPixel / 8));
+            if (imageDataSize > (bitmapFileSize - bitmapOffset)) {
+                throw new IIOException(I18N.getString("BMPImageReader9"));
+            }
+        }
+
         // Reset Image Layout so there's only one tile.
         //Define the color space
         ColorSpace colorSpace = ColorSpace.getInstance(ColorSpace.CS_sRGB);

src/java.desktop/share/classes/com/sun/imageio/plugins/common/iio-plugin.properties

@@ -24,6 +24,7 @@ BMPImageReader5=Input has not been set.
 BMPImageReader6=Unable to read the image header.
 BMPImageReader7=Invalid bitmap offset.
 BMPImageReader8=Invalid bits per pixel in image header.
+BMPImageReader9=Invalid width/height for BI_RGB image data.
 BMPImageWriter0=Output is not an ImageOutputStream.
 BMPImageWriter1=The image region to be encoded is empty.
 BMPImageWriter2=Only 1 or 3 band image is encoded.

src/java.desktop/share/classes/javax/swing/text/rtf/RTFParser.java

@@ -233,25 +233,52 @@ abstract class RTFParser extends AbstractFilter
           currentCharacters.append(ch);
         } else {
           /* TODO: Test correct behavior of \bin keyword */
+
           if (pendingKeyword.equals("bin")) {  /* magic layer-breaking kwd */
-            long parameter = Long.parseLong(currentCharacters.toString());
+            long parameter = 0L;
+            try {
+              parameter = Long.parseLong(currentCharacters.toString());
+            } catch (NumberFormatException e) {
+              warning("Illegal number format " + currentCharacters.toString()
+                              + " in \bin tag");
+              pendingKeyword = null;
+              currentCharacters = new StringBuffer();
+              state = S_text;
+              // Delimiters here are interpreted as text too
+              if (!Character.isWhitespace(ch))
+                write(ch);
+              break;
+            }
             pendingKeyword = null;
             state = S_inblob;
+            int maxBytes = 4 * 1024 * 1024;
             binaryBytesLeft = parameter;
-            if (binaryBytesLeft > Integer.MAX_VALUE)
+
-                binaryBuf = new ByteArrayOutputStream(Integer.MAX_VALUE);
+            if (binaryBytesLeft > maxBytes) {
-            else
+              binaryBuf = new ByteArrayOutputStream(maxBytes);
-                binaryBuf = new ByteArrayOutputStream((int)binaryBytesLeft);
+            } else if (binaryBytesLeft < 0) {
+              binaryBytesLeft = 0;
+              binaryBuf = new ByteArrayOutputStream((int)binaryBytesLeft);
+            } else {
+              binaryBuf = new ByteArrayOutputStream((int) binaryBytesLeft);
+            }
             savedSpecials = specialsTable;
             specialsTable = allSpecialsTable;
             break;
           }
 
-          int parameter = Integer.parseInt(currentCharacters.toString());
+          int parameter = 0;
-          ok = handleKeyword(pendingKeyword, parameter);
+          try {
-          if (!ok)
+            parameter = Integer.parseInt(currentCharacters.toString());
-            warning("Unknown keyword: " + pendingKeyword +
+            ok = handleKeyword(pendingKeyword, parameter);
-                    " (param " + currentCharacters + ")");
+            if (!ok) {
+                warning("Unknown keyword: " + pendingKeyword +
+                        " (param " + currentCharacters + ")");
+            }
+          } catch (NumberFormatException e) {
+            warning("Illegal number format " + currentCharacters.toString()
+                    + " in " + pendingKeyword + " tag");
+          }
           pendingKeyword = null;
           currentCharacters = new StringBuffer();
           state = S_text;
@@ -280,14 +307,16 @@ abstract class RTFParser extends AbstractFilter
         }
         break;
       case S_inblob:
-        binaryBuf.write(ch);
+        if (binaryBytesLeft > 0) {
-        binaryBytesLeft --;
+          binaryBuf.write(ch);
+          binaryBytesLeft--;
+        }
         if (binaryBytesLeft == 0) {
-            state = S_text;
+          state = S_text;
-            specialsTable = savedSpecials;
+          specialsTable = savedSpecials;
-            savedSpecials = null;
+          savedSpecials = null;
-            handleBinaryBlob(binaryBuf.toByteArray());
+          handleBinaryBlob(binaryBuf.toByteArray());
-            binaryBuf = null;
+          binaryBuf = null;
         }
       }
   }

src/java.desktop/share/classes/javax/swing/text/rtf/RTFReader.java

@@ -66,12 +66,12 @@ class RTFReader extends RTFParser
   Dictionary<Integer, String> fontTable;
   /** This array maps color indices to Color objects. */
   Color[] colorTable;
-  /** This array maps character style numbers to Style objects. */
+  /** This Map maps character style numbers to Style objects. */
-  Style[] characterStyles;
+  Map<Integer, Style> characterStyles;
-  /** This array maps paragraph style numbers to Style objects. */
+  /** This Map maps paragraph style numbers to Style objects. */
-  Style[] paragraphStyles;
+  Map<Integer, Style> paragraphStyles;
-  /** This array maps section style numbers to Style objects. */
+  /** This Map maps section style numbers to Style objects. */
-  Style[] sectionStyles;
+  Map<Integer, Style> sectionStyles;
 
   /** This is the RTF version number, extracted from the \rtf keyword.
    *  The version information is currently not used. */
@@ -842,9 +842,9 @@ class StylesheetDestination
 
     public void close()
     {
-        Vector<Style> chrStyles = new Vector<Style>();
+        Map<Integer, Style> chrStyles = new HashMap<>();
-        Vector<Style> pgfStyles = new Vector<Style>();
+        Map<Integer, Style> pgfStyles = new HashMap<>();
-        Vector<Style> secStyles = new Vector<Style>();
+        Map<Integer, Style> secStyles = new HashMap<>();
         Enumeration<StyleDefiningDestination> styles = definedStyles.elements();
         while(styles.hasMoreElements()) {
             StyleDefiningDestination style;
@@ -853,32 +853,24 @@ class StylesheetDestination
             defined = style.realize();
             warning("Style "+style.number+" ("+style.styleName+"): "+defined);
             String stype = (String)defined.getAttribute(Constants.StyleType);
-            Vector<Style> toSet;
+            Map<Integer, Style> toMap;
             if (stype.equals(Constants.STSection)) {
-                toSet = secStyles;
+                toMap = secStyles;
             } else if (stype.equals(Constants.STCharacter)) {
-                toSet = chrStyles;
+                toMap = chrStyles;
             } else {
-                toSet = pgfStyles;
+                toMap = pgfStyles;
             }
-            if (toSet.size() <= style.number)
+            toMap.put(style.number, defined);
-                toSet.setSize(style.number + 1);
-            toSet.setElementAt(defined, style.number);
         }
         if (!(chrStyles.isEmpty())) {
-            Style[] styleArray = new Style[chrStyles.size()];
+            characterStyles = chrStyles;
-            chrStyles.copyInto(styleArray);
-            characterStyles = styleArray;
         }
         if (!(pgfStyles.isEmpty())) {
-            Style[] styleArray = new Style[pgfStyles.size()];
+            paragraphStyles = pgfStyles;
-            pgfStyles.copyInto(styleArray);
-            paragraphStyles = styleArray;
         }
         if (!(secStyles.isEmpty())) {
-            Style[] styleArray = new Style[secStyles.size()];
+            sectionStyles = secStyles;
-            secStyles.copyInto(styleArray);
-            sectionStyles = styleArray;
         }
 
 /* (old debugging code)
@@ -961,6 +953,14 @@ class StylesheetDestination
 
         public boolean handleKeyword(String keyword, int parameter)
         {
+            // As per http://www.biblioscape.com/rtf15_spec.htm#Heading2
+            // we are restricting control word delimiter numeric value
+            // to be within -32767 through 32767
+            if (parameter > 32767) {
+                parameter = 32767;
+            } else if (parameter < -32767) {
+                parameter = -32767;
+            }
             if (keyword.equals("s")) {
                 characterStyle = false;
                 sectionStyle = false;
@@ -983,19 +983,27 @@ class StylesheetDestination
             return true;
         }
 
-        public Style realize()
+        public Style realize() {
+            return realize(null);
+        }
+
+        private Style realize(Set<Integer> alreadyMetBasisIndexSet)
         {
             Style basis = null;
             Style next = null;
 
+            if (alreadyMetBasisIndexSet == null) {
+                alreadyMetBasisIndexSet = new HashSet<>();
+            }
+
             if (realizedStyle != null)
                 return realizedStyle;
 
-            if (basedOn != STYLENUMBER_NONE) {
+            if (basedOn != STYLENUMBER_NONE && alreadyMetBasisIndexSet.add(basedOn)) {
                 StyleDefiningDestination styleDest;
-                styleDest = definedStyles.get(Integer.valueOf(basedOn));
+                styleDest = definedStyles.get(basedOn);
                 if (styleDest != null && styleDest != this) {
-                    basis = styleDest.realize();
+                    basis = styleDest.realize(alreadyMetBasisIndexSet);
                 }
             }
 
@@ -1296,19 +1304,19 @@ abstract class AttributeTrackingDestination implements Destination
 
         if (keyword.equals("s") &&
             paragraphStyles != null) {
-            parserState.put("paragraphStyle", paragraphStyles[parameter]);
+            parserState.put("paragraphStyle", paragraphStyles.get(parameter));
             return true;
         }
 
         if (keyword.equals("cs") &&
             characterStyles != null) {
-            parserState.put("characterStyle", characterStyles[parameter]);
+            parserState.put("characterStyle", characterStyles.get(parameter));
             return true;
         }
 
         if (keyword.equals("ds") &&
             sectionStyles != null) {
-            parserState.put("sectionStyle", sectionStyles[parameter]);
+            parserState.put("sectionStyle", sectionStyles.get(parameter));
             return true;
         }
 

src/java.net.http/share/classes/jdk/internal/net/http/Http2Connection.java

@@ -121,7 +121,6 @@ class Http2Connection  {
 
     static private final int MAX_CLIENT_STREAM_ID = Integer.MAX_VALUE; // 2147483647
     static private final int MAX_SERVER_STREAM_ID = Integer.MAX_VALUE - 1; // 2147483646
-    static private final int BUFFER = 8; // added as an upper bound
 
     /**
      * Flag set when no more streams to be opened on this connection.

src/jdk.jartool/share/classes/jdk/security/jarsigner/JarSigner.java

@@ -793,13 +793,19 @@ public final class JarSigner {
                 ManifestDigester oldMd = new ManifestDigester(mfRawBytes);
                 ManifestDigester newMd = new ManifestDigester(mfNewRawBytes);
 
+                ManifestDigester.Entry oldEntry = oldMd.getMainAttsEntry();
+
                 // main attributes
-                if (manifest.getMainAttributes().equals(
+                if (oldEntry != null
-                        oldManifest.getMainAttributes())
+                        && manifest.getMainAttributes().equals(
+                                oldManifest.getMainAttributes())
                         && (manifest.getEntries().isEmpty() ||
-                            oldMd.getMainAttsEntry().isProperlyDelimited())) {
+                                oldEntry.isProperlyDelimited())) {
-                    oldMd.getMainAttsEntry().reproduceRaw(baos);
+                    oldEntry.reproduceRaw(baos);
                 } else {
+                    if (newMd.getMainAttsEntry() == null) {
+                        throw new SignatureException("Error getting new main attribute entry");
+                    }
                     newMd.getMainAttsEntry().reproduceRaw(baos);
                 }
 

test/jdk/java/awt/print/PrinterJob/ExceptionFromPrintableIsIgnoredTest.java

@@ -0,0 +1,134 @@
+/*
+ * Copyright (c) 2021, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/* @test
+   @bug 8262731
+   @key headful printer
+   @summary Verify that "PrinterJob.print" throws the expected exception,
+            if "Printable.print" throws an exception.
+   @run main ExceptionFromPrintableIsIgnoredTest MAIN PE
+   @run main ExceptionFromPrintableIsIgnoredTest MAIN RE
+   @run main ExceptionFromPrintableIsIgnoredTest EDT PE
+   @run main ExceptionFromPrintableIsIgnoredTest EDT RE
+ */
+
+import java.awt.Graphics;
+import java.awt.print.PageFormat;
+import java.awt.print.Printable;
+import java.awt.print.PrinterException;
+import java.awt.print.PrinterJob;
+import java.lang.reflect.InvocationTargetException;
+import javax.swing.SwingUtilities;
+
+public class ExceptionFromPrintableIsIgnoredTest {
+    private enum TestThreadType {MAIN, EDT}
+    private enum TestExceptionType {PE, RE}
+
+    private volatile Throwable printError;
+
+    public static void main(String[] args) {
+        if (args.length < 2) {
+            throw new RuntimeException("Two arguments are expected:"
+                    + " test thread type and test exception type.");
+        }
+
+        new ExceptionFromPrintableIsIgnoredTest(
+            TestThreadType.valueOf(args[0]),
+            TestExceptionType.valueOf(args[1]));
+    }
+
+    public ExceptionFromPrintableIsIgnoredTest(
+            final TestThreadType threadType,
+            final TestExceptionType exceptionType) {
+        System.out.println(String.format(
+                "Test started. threadType='%s', exceptionType='%s'",
+                threadType, exceptionType));
+
+        String osName = System.getProperty("os.name");
+        boolean isOSX = osName.toLowerCase().startsWith("mac");
+        if ((exceptionType == TestExceptionType.RE) && !isOSX) {
+            System.out.println(
+                "Currently this test scenario can be verified only on macOS.");
+            return;
+        }
+
+        printError = null;
+
+        if (threadType == TestThreadType.MAIN) {
+            runTest(exceptionType);
+        } else if (threadType == TestThreadType.EDT) {
+            try {
+                SwingUtilities.invokeAndWait(new Runnable() {
+                    @Override
+                    public void run() {
+                        runTest(exceptionType);
+                    }
+                });
+            } catch (InterruptedException | InvocationTargetException e) {
+                throw new RuntimeException(e);
+            }
+        }
+
+        if (printError == null) {
+            throw new RuntimeException("No exception was thrown.");
+        } else if (!(printError instanceof PrinterException)) {
+            throw new RuntimeException("Unexpected exception was thrown.");
+        }
+        System.out.println("Test passed.");
+    }
+
+    private void runTest(final TestExceptionType exceptionType) {
+        PrinterJob job = PrinterJob.getPrinterJob();
+        if (job.getPrintService() == null) {
+            System.out.println("No printers are available.");
+            return;
+        }
+
+        job.setPrintable(new Printable() {
+            @Override
+            public int print(Graphics graphics, PageFormat pageFormat,
+                    int pageIndex) throws PrinterException {
+                if (pageIndex > 1) {
+                    return NO_SUCH_PAGE;
+                }
+                if (exceptionType == TestExceptionType.PE) {
+                    throw new PrinterException(
+                        "Exception from 'Printable.print'.");
+                } else if (exceptionType == TestExceptionType.RE) {
+                    throw new RuntimeException(
+                        "Exception from 'Printable.print'.");
+                }
+                return PAGE_EXISTS;
+            }
+        });
+
+        try {
+            job.print();
+        } catch (Throwable t) {
+            printError = t;
+
+            System.out.println("'PrinterJob.print' threw the exception:");
+            t.printStackTrace(System.out);
+        }
+    }
+}

test/jdk/java/util/jar/JarFile/LargeManifestOOMTest.java

@@ -1,78 +0,0 @@
-/*
- * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-import jdk.test.lib.util.JarUtils;
-import org.testng.Assert;
-import org.testng.annotations.Test;
-
-import java.io.IOException;
-import java.io.RandomAccessFile;
-import java.nio.file.Files;
-import java.nio.file.Path;
-import java.nio.file.Paths;
-import java.util.jar.JarFile;
-
-/**
- * @test
- * @bug 8242882
- * @summary Verify that opening a jar file with a large manifest throws an OutOfMemoryError
- * and not a NegativeArraySizeException
- * @library /test/lib
- * @run testng LargeManifestOOMTest
- */
-public class LargeManifestOOMTest {
-    // file will be created with size greater than Integer.MAX_VALUE
-    private static final long MANIFEST_FILE_SIZE = Integer.MAX_VALUE + 1024L;
-
-    /**
-     * Creates a jar which has a large manifest file and then uses the {@link JarFile} to
-     * {@link JarFile#getManifest() load the manifest}. The call to the {@link JarFile#getManifest()}
-     * is then expected to throw a {@link OutOfMemoryError}
-     */
-    @Test
-    public void testOutOfMemoryError() throws Exception {
-        final Path jarSourceRoot = Paths.get("jar-source");
-        createLargeManifest(jarSourceRoot.resolve("META-INF"));
-        final Path jarFilePath = Paths.get("oom-test.jar");
-        JarUtils.createJarFile(jarFilePath.toAbsolutePath(), jarSourceRoot);
-        final JarFile jar = new JarFile(jarFilePath.toFile());
-        Assert.assertThrows(OutOfMemoryError.class, () -> jar.getManifest());
-    }
-
-    /**
-     * Creates a {@code MANIFEST.MF}, whose content is {@link #MANIFEST_FILE_SIZE} in size,
-     * in the {@code parentDir}
-     *
-     * @param parentDir The directory in which the MANIFEST.MF file will be created
-     */
-    private static void createLargeManifest(final Path parentDir) throws IOException {
-        Files.createDirectories(parentDir.toAbsolutePath());
-        final Path manifestFile = parentDir.resolve("MANIFEST.MF");
-        try (final RandomAccessFile largeManifest = new RandomAccessFile(manifestFile.toFile(), "rw")) {
-            largeManifest.writeUTF("Manifest-Version: 1.0\n");
-            largeManifest.writeUTF("OOM-Test: a\n");
-            largeManifest.setLength(MANIFEST_FILE_SIZE);
-        }
-        System.out.println("Size of file " + manifestFile + " is " + manifestFile.toFile().length());
-    }
-}