8299392: [17u] Remove designator DEFAULT_PROMOTED_VERSION_PRE=ea for release 17.0.6

Reviewed-by: goetz

make/conf/version-numbers.conf

@@ -39,4 +39,4 @@ DEFAULT_VERSION_CLASSFILE_MINOR=0
 DEFAULT_VERSION_DOCS_API_SINCE=11
 DEFAULT_ACCEPTABLE_BOOT_VERSIONS="16 17"
 DEFAULT_JDK_SOURCE_TARGET_VERSION=17
-DEFAULT_PROMOTED_VERSION_PRE=ea
+DEFAULT_PROMOTED_VERSION_PRE=

make/data/currency/CurrencyData.properties

@@ -32,7 +32,7 @@ formatVersion=3
 # Version of the currency code information in this class.
 # It is a serial number that accompanies with each amendment.
 
-dataVersion=173
+dataVersion=174
 
 # List of all valid ISO 4217 currency codes.
 # To ensure compatibility, do not remove codes.
@@ -189,7 +189,7 @@ CR=CRC
 # COTE D'IVOIRE
 CI=XOF
 # CROATIA
-HR=HRK
+HR=HRK;2022-12-31-23-00-00;EUR
 # CUBA
 CU=CUP
 # Cura\u00e7ao

src/hotspot/os/posix/signals_posix.cpp

@@ -597,7 +597,7 @@ int JVM_HANDLE_XXX_SIGNAL(int sig, siginfo_t* info,
   if (!signal_was_handled) {
     // Handle SafeFetch access.
 #ifndef ZERO
-    if (uc != NULL) {
+    if ((sig == SIGSEGV || sig == SIGBUS) && uc != NULL) {
       address pc = os::Posix::ucontext_get_pc(uc);
       if (StubRoutines::is_safefetch_fault(pc)) {
         os::Posix::ucontext_set_pc(uc, StubRoutines::continuation_for_safefetch_fault(pc));

src/hotspot/os/posix/vmError_posix.cpp

@@ -77,19 +77,21 @@ static void crash_handler(int sig, siginfo_t* info, void* ucVoid) {
   }
 
   // Needed to make it possible to call SafeFetch.. APIs in error handling.
-  if (uc && pc && StubRoutines::is_safefetch_fault(pc)) {
-    os::Posix::ucontext_set_pc(uc, StubRoutines::continuation_for_safefetch_fault(pc));
-    return;
-  }
-
-  // Needed because asserts may happen in error handling too.
-#ifdef CAN_SHOW_REGISTERS_ON_ASSERT
-  if ((sig == SIGSEGV || sig == SIGBUS) && info != NULL && info->si_addr == g_assert_poison) {
-    if (handle_assert_poison_fault(ucVoid, info->si_addr)) {
+  if (sig == SIGSEGV || sig == SIGBUS) {
+    if (uc && pc && StubRoutines::is_safefetch_fault(pc)) {
+      os::Posix::ucontext_set_pc(uc, StubRoutines::continuation_for_safefetch_fault(pc));
       return;
     }
-  }
+
+    // Needed because asserts may happen in error handling too.
+#ifdef CAN_SHOW_REGISTERS_ON_ASSERT
+    if (info != NULL && info->si_addr == g_assert_poison) {
+      if (handle_assert_poison_fault(ucVoid, info->si_addr)) {
+        return;
+      }
+    }
 #endif // CAN_SHOW_REGISTERS_ON_ASSERT
+  }
 
   VMError::report_and_die(NULL, sig, pc, info, ucVoid);
 }

src/hotspot/share/jfr/recorder/checkpoint/jfrCheckpointManager.cpp

@@ -119,7 +119,9 @@ bool JfrCheckpointManager::initialize() {
 
 #ifdef ASSERT
 static void assert_lease(const BufferPtr buffer) {
-  assert(buffer != NULL, "invariant");
+  if (buffer == nullptr) {
+    return;
+  }
   assert(buffer->acquired_by_self(), "invariant");
   assert(buffer->lease(), "invariant");
 }
@@ -220,8 +222,9 @@ BufferPtr JfrCheckpointManager::flush(BufferPtr old, size_t used, size_t request
     return NULL;
   }
   BufferPtr new_buffer = lease(old, thread, used + requested);
-  assert(new_buffer != NULL, "invariant");
-  migrate_outstanding_writes(old, new_buffer, used, requested);
+  if (new_buffer != nullptr) {
+    migrate_outstanding_writes(old, new_buffer, used, requested);
+  }
   retire(old);
   return new_buffer;
 }

src/hotspot/share/jfr/recorder/storage/jfrBuffer.cpp

@@ -35,13 +35,15 @@ JfrBuffer::JfrBuffer() : _next(NULL),
                          _size(0),
                          _header_size(0),
                          _flags(0),
-                         _context(0) {}
+                         _context(0)
+                         LP64_ONLY(COMMA _pad(0)) {}
 
 bool JfrBuffer::initialize(size_t header_size, size_t size) {
   assert(_next == NULL, "invariant");
   assert(_identity == NULL, "invariant");
-  _header_size = (u2)header_size;
-  _size = (u4)(size / BytesPerWord);
+  assert(header_size <= max_jushort, "invariant");
+  _header_size = static_cast<u2>(header_size);
+  _size = size;
   set_pos(start());
   set_top(start());
   assert(free_size() == size, "invariant");

src/hotspot/share/jfr/recorder/storage/jfrBuffer.hpp

@@ -70,10 +70,11 @@ class JfrBuffer {
   const void* _identity;
   u1* _pos;
   mutable const u1* _top;
-  u4 _size;
+  size_t _size;
   u2 _header_size;
   u1 _flags;
   u1 _context;
+  LP64_ONLY(const u4 _pad;)
 
   const u1* stable_top() const;
 
@@ -125,7 +126,7 @@ class JfrBuffer {
   void release_critical_section_top(const u1* new_top);
 
   size_t size() const {
-    return _size * BytesPerWord;
+    return _size;
   }
 
   size_t total_size() const {

src/hotspot/share/jfr/recorder/storage/jfrMemorySpace.inline.hpp

@@ -202,16 +202,24 @@ inline bool JfrMemorySpace< Client, RetrievalPolicy, FreeListType, FullListType,
 
 // allocations are even multiples of the mspace min size
 static inline size_t align_allocation_size(size_t requested_size, size_t min_element_size) {
+  if (requested_size > static_cast<size_t>(min_intx)) {
+    assert(false, "requested size: " SIZE_FORMAT " is too large", requested_size);
+    return 0;
+  }
   u8 alloc_size_bytes = min_element_size;
   while (requested_size > alloc_size_bytes) {
     alloc_size_bytes <<= 1;
   }
-  return (size_t)alloc_size_bytes;
+  assert(alloc_size_bytes <= static_cast<size_t>(min_intx), "invariant");
+  return static_cast<size_t>(alloc_size_bytes);
 }
 
 template <typename Client, template <typename> class RetrievalPolicy, typename FreeListType, typename FullListType, bool epoch_aware>
 inline typename FreeListType::NodePtr JfrMemorySpace<Client, RetrievalPolicy, FreeListType, FullListType, epoch_aware>::allocate(size_t size) {
   const size_t aligned_size_bytes = align_allocation_size(size, _min_element_size);
+  if (aligned_size_bytes == 0) {
+    return NULL;
+  }
   void* const allocation = JfrCHeapObj::new_array<u1>(aligned_size_bytes + sizeof(Node));
   if (allocation == NULL) {
     return NULL;

src/hotspot/share/jfr/writers/jfrWriterHost.inline.hpp

@@ -73,6 +73,7 @@ template <typename T>
 inline void WriterHost<BE, IE, WriterPolicyImpl>::write(const T* value, size_t len) {
   assert(value != NULL, "invariant");
   assert(len > 0, "invariant");
+  assert(len <= max_jint, "invariant");
   // Might need T + 1 size
   u1* const pos = ensure_size(sizeof(T) * len + len);
   if (pos) {
@@ -125,8 +126,9 @@ template <typename T>
 inline void WriterHost<BE, IE, WriterPolicyImpl>::be_write(const T* value, size_t len) {
   assert(value != NULL, "invariant");
   assert(len > 0, "invariant");
-  // Might need T + 1 size
-  u1* const pos = ensure_size(sizeof(T) * len + len);
+  assert(len <= max_jint, "invariant");
+  // Big endian writes map one-to-one for length, so no extra space is needed.
+  u1* const pos = ensure_size(sizeof(T) * len);
   if (pos) {
     this->set_current_pos(BE::be_write(value, len, pos));
   }

src/hotspot/share/prims/jvmtiExport.cpp

@@ -1494,7 +1494,9 @@ void JvmtiExport::post_thread_end(JavaThread *thread) {
 
 void JvmtiExport::post_object_free(JvmtiEnv* env, GrowableArray<jlong>* objects) {
   assert(objects != NULL, "Nothing to post");
-  assert(env->is_enabled(JVMTI_EVENT_OBJECT_FREE), "checking");
+  if (!env->is_enabled(JVMTI_EVENT_OBJECT_FREE)) {
+    return; // the event type has been already disabled
+  }
 
   EVT_TRIG_TRACE(JVMTI_EVENT_OBJECT_FREE, ("[?] Trg Object Free triggered" ));
   EVT_TRACE(JVMTI_EVENT_OBJECT_FREE, ("[?] Evt Object Free sent"));

src/java.base/share/classes/com/sun/crypto/provider/DHKeyPairGenerator.java

@@ -34,6 +34,7 @@ import javax.crypto.spec.DHGenParameterSpec;
 
 import sun.security.provider.ParameterCache;
 import static sun.security.util.SecurityProviderConstants.DEF_DH_KEY_SIZE;
+import static sun.security.util.SecurityProviderConstants.getDefDHPrivateExpSize;
 
 /**
  * This class represents the key pair generator for Diffie-Hellman key pairs.
@@ -60,9 +61,6 @@ public final class DHKeyPairGenerator extends KeyPairGeneratorSpi {
     // The size in bits of the prime modulus
     private int pSize;
 
-    // The size in bits of the random exponent (private value)
-    private int lSize;
-
     // The source of randomness
     private SecureRandom random;
 
@@ -71,7 +69,8 @@ public final class DHKeyPairGenerator extends KeyPairGeneratorSpi {
         initialize(DEF_DH_KEY_SIZE, null);
     }
 
-    private static void checkKeySize(int keysize)
+    // pkg private; used by DHParameterGenerator class as well
+    static void checkKeySize(int keysize, int expSize)
             throws InvalidParameterException {
 
         if ((keysize < 512) || (keysize > 8192) || ((keysize & 0x3F) != 0)) {
@@ -80,6 +79,13 @@ public final class DHKeyPairGenerator extends KeyPairGeneratorSpi {
                     "from 512 to 8192 (inclusive). " +
                     "The specific key size " + keysize + " is not supported");
         }
+
+        // optional, could be 0 if not specified
+        if ((expSize < 0) || (expSize > keysize)) {
+            throw new InvalidParameterException
+                    ("Exponent size must be positive and no larger than" +
+                    " modulus size");
+        }
     }
 
     /**
@@ -91,21 +97,17 @@ public final class DHKeyPairGenerator extends KeyPairGeneratorSpi {
      * @param random the source of randomness
      */
     public void initialize(int keysize, SecureRandom random) {
-        checkKeySize(keysize);
+        checkKeySize(keysize, 0);
 
-        // Use the built-in parameters (ranging from 512 to 8192)
-        // when available.
-        this.params = ParameterCache.getCachedDHParameterSpec(keysize);
-
-        // Due to performance issue, only support DH parameters generation
-        // up to 1024 bits.
-        if ((this.params == null) && (keysize > 1024)) {
-            throw new InvalidParameterException(
-                "Unsupported " + keysize + "-bit DH parameter generation");
+        try {
+            // Use the built-in parameters (ranging from 512 to 8192)
+            // when available.
+            this.params = ParameterCache.getDHParameterSpec(keysize, random);
+        } catch (GeneralSecurityException e) {
+            throw new InvalidParameterException(e.getMessage());
         }
 
         this.pSize = keysize;
-        this.lSize = 0;
         this.random = random;
     }
 
@@ -130,22 +132,13 @@ public final class DHKeyPairGenerator extends KeyPairGeneratorSpi {
                 ("Inappropriate parameter type");
         }
 
-        params = (DHParameterSpec)algParams;
+        params = (DHParameterSpec) algParams;
         pSize = params.getP().bitLength();
         try {
-            checkKeySize(pSize);
+            checkKeySize(pSize, params.getL());
         } catch (InvalidParameterException ipe) {
             throw new InvalidAlgorithmParameterException(ipe.getMessage());
         }
-
-        // exponent size is optional, could be 0
-        lSize = params.getL();
-
-        // Require exponentSize < primeSize
-        if ((lSize != 0) && (lSize > pSize)) {
-            throw new InvalidAlgorithmParameterException
-                ("Exponent size must not be larger than modulus size");
-        }
         this.random = random;
     }
 
@@ -159,24 +152,12 @@ public final class DHKeyPairGenerator extends KeyPairGeneratorSpi {
             random = SunJCE.getRandom();
         }
 
-        if (params == null) {
-            try {
-                params = ParameterCache.getDHParameterSpec(pSize, random);
-            } catch (GeneralSecurityException e) {
-                // should never happen
-                throw new ProviderException(e);
-            }
-        }
-
         BigInteger p = params.getP();
         BigInteger g = params.getG();
 
-        if (lSize <= 0) {
-            lSize = pSize >> 1;
-            // use an exponent size of (pSize / 2) but at least 384 bits
-            if (lSize < 384) {
-                lSize = 384;
-            }
+        int lSize = params.getL();
+        if (lSize == 0) { // not specified; use our own default
+            lSize = getDefDHPrivateExpSize(params);
         }
 
         BigInteger x;

src/java.base/share/classes/com/sun/crypto/provider/DHParameterGenerator.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2022, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -59,7 +59,7 @@ public final class DHParameterGenerator extends AlgorithmParameterGeneratorSpi {
     // The source of randomness
     private SecureRandom random = null;
 
-    private static void checkKeySize(int keysize)
+    private static void checkSupport(int keysize, int exponentSize)
             throws InvalidParameterException {
 
         boolean supported = ((keysize == 2048) || (keysize == 3072) ||
@@ -67,9 +67,13 @@ public final class DHParameterGenerator extends AlgorithmParameterGeneratorSpi {
 
         if (!supported) {
             throw new InvalidParameterException(
-                    "DH key size must be multiple of 64 and range " +
+                    "Supported DH key size must be multiple of 64 and range " +
                     "from 512 to 1024 (inclusive), or 2048, 3072. " +
-                    "The specific key size " + keysize + " is not supported");
+                    "The specified key size " + keysize + " is not supported");
+        }
+
+        if (exponentSize != 0) {
+            DHKeyPairGenerator.checkKeySize(keysize, exponentSize);
         }
     }
 
@@ -83,7 +87,8 @@ public final class DHParameterGenerator extends AlgorithmParameterGeneratorSpi {
      */
     @Override
     protected void engineInit(int keysize, SecureRandom random) {
-        checkKeySize(keysize);
+        checkSupport(keysize, 0);
+
         this.primeSize = keysize;
         this.random = random;
     }
@@ -108,21 +113,17 @@ public final class DHParameterGenerator extends AlgorithmParameterGeneratorSpi {
                 ("Inappropriate parameter type");
         }
 
-        DHGenParameterSpec dhParamSpec = (DHGenParameterSpec)genParamSpec;
-        primeSize = dhParamSpec.getPrimeSize();
-        exponentSize = dhParamSpec.getExponentSize();
-        if ((exponentSize <= 0) || (exponentSize >= primeSize)) {
-            throw new InvalidAlgorithmParameterException(
-                    "Exponent size (" + exponentSize +
-                    ") must be positive and less than modulus size (" +
-                    primeSize + ")");
-        }
+        DHGenParameterSpec dhParamSpec = (DHGenParameterSpec) genParamSpec;
+        int primeSize = dhParamSpec.getPrimeSize();
+        int exponentSize = dhParamSpec.getExponentSize();
         try {
-            checkKeySize(primeSize);
+            checkSupport(primeSize, exponentSize);
         } catch (InvalidParameterException ipe) {
             throw new InvalidAlgorithmParameterException(ipe.getMessage());
         }
 
+        this.primeSize = primeSize;
+        this.exponentSize = exponentSize;
         this.random = random;
     }
 

src/java.base/share/classes/java/net/InetAddress.java

@@ -1360,6 +1360,10 @@ public class InetAddress implements java.io.Serializable {
             InetAddress[] ret = new InetAddress[1];
             if(addr != null) {
                 if (addr.length == Inet4Address.INADDRSZ) {
+                    if (numericZone != -1 || ifname != null) {
+                        // IPv4-mapped address must not contain zone-id
+                        throw new UnknownHostException(host + ": invalid IPv4-mapped address");
+                    }
                     ret[0] = new Inet4Address(null, addr);
                 } else {
                     if (ifname != null) {
@@ -1404,22 +1408,23 @@ public class InetAddress implements java.io.Serializable {
         int percent = s.indexOf ('%');
         int slen = s.length();
         int digit, zone=0;
+        int multmax = Integer.MAX_VALUE / 10; // for int overflow detection
         if (percent == -1) {
             return -1;
         }
         for (int i=percent+1; i<slen; i++) {
             char c = s.charAt(i);
-            if (c == ']') {
-                if (i == percent+1) {
-                    /* empty per-cent field */
-                    return -1;
-                }
-                break;
+            if ((digit = IPAddressUtil.parseAsciiDigit(c, 10)) < 0) {
+                return -1;
             }
-            if ((digit = Character.digit (c, 10)) < 0) {
+            if (zone > multmax) {
                 return -1;
             }
             zone = (zone * 10) + digit;
+            if (zone < 0) {
+                return -1;
+            }
+
         }
         return zone;
     }

src/java.base/share/classes/sun/net/util/IPAddressUtil.java

@@ -785,7 +785,7 @@ public class IPAddressUtil {
     }
 
     // Parse ASCII digit in given radix
-    private static int parseAsciiDigit(char c, int radix) {
+    public static int parseAsciiDigit(char c, int radix) {
         assert radix == OCTAL || radix == DECIMAL || radix == HEXADECIMAL;
         if (radix == HEXADECIMAL) {
             return parseAsciiHexDigit(c);

src/java.base/share/classes/sun/security/provider/ParameterCache.java

@@ -34,6 +34,7 @@ import java.security.SecureRandom;
 import java.security.spec.*;
 
 import javax.crypto.spec.DHParameterSpec;
+import sun.security.util.SafeDHParameterSpec;
 
 /**
  * Cache for DSA and DH parameter specs. Used by the KeyPairGenerators
@@ -55,6 +56,26 @@ public final class ParameterCache {
     // cache of DH parameters
     private static final Map<Integer,DHParameterSpec> dhCache;
 
+    // convert DHParameterSpec to SafeDHParameterSpec if its parameters are
+    // safe primes; validation takes time but should be worthwhile for the
+    // parameter cache since the parameters may be reused many times.
+    private static DHParameterSpec makeSafe(DHParameterSpec spec) {
+        if (spec instanceof SafeDHParameterSpec) {
+            return spec;
+        }
+
+        BigInteger p = spec.getP();
+        BigInteger g = spec.getG();
+
+        boolean isSafe = (g.equals(BigInteger.TWO) && p.testBit(0) &&
+                p.shiftRight(1).isProbablePrime(100));
+        if (isSafe) {
+            return new SafeDHParameterSpec(p, g, spec.getL());
+        } else {
+            return spec;
+        }
+    }
+
     /**
      * Return cached DSA parameters for the given length combination of
      * prime and subprime, or null if none are available in the cache.
@@ -74,7 +95,7 @@ public final class ParameterCache {
      * are available in the cache.
      */
     public static DHParameterSpec getCachedDHParameterSpec(int keyLength) {
-        return dhCache.get(Integer.valueOf(keyLength));
+        return dhCache.get(keyLength);
     }
 
     /**
@@ -132,7 +153,7 @@ public final class ParameterCache {
         gen.init(keyLength, random);
         AlgorithmParameters params = gen.generateParameters();
         spec = params.getParameterSpec(DHParameterSpec.class);
-        dhCache.put(Integer.valueOf(keyLength), spec);
+        dhCache.put(keyLength, makeSafe(spec));
         return spec;
     }
 
@@ -394,6 +415,12 @@ public final class ParameterCache {
         // the common generator
         BigInteger dhG = BigInteger.TWO;
 
+        // Self generated following the approach from RFC 2412 Appendix E but
+        // using random source instead of binary expansion of pi
+        BigInteger dhP512 = new BigInteger(
+                "FFFFFFFFFFFFFFFF8B479B3A6E8DE86C294188F0BF2CD86C" +
+                "DB950ADB36D0F61FD51E46F69C99ED95ABE5A7BBB230A6ED" +
+                "1D0B4506B5317284FFFFFFFFFFFFFFFF", 16);
         //
         // From RFC 7296
 
@@ -562,16 +589,18 @@ public final class ParameterCache {
                 "9558E4475677E9AA9E3050E2765694DFC81F56E880B96E71" +
                 "60C980DD98EDD3DFFFFFFFFFFFFFFFFF", 16);
 
-        // use DSA parameters for DH for sizes not defined in RFC 7296, 3526
-        dhCache.put(Integer.valueOf(512), new DHParameterSpec(p512, g512));
+        // self-generated safe prime
+        dhCache.put(512, new SafeDHParameterSpec(dhP512, dhG));
 
-        dhCache.put(Integer.valueOf(768), new DHParameterSpec(dhP768, dhG));
-        dhCache.put(Integer.valueOf(1024), new DHParameterSpec(dhP1024, dhG));
-        dhCache.put(Integer.valueOf(1536), new DHParameterSpec(dhP1536, dhG));
-        dhCache.put(Integer.valueOf(2048), new DHParameterSpec(dhP2048, dhG));
-        dhCache.put(Integer.valueOf(3072), new DHParameterSpec(dhP3072, dhG));
-        dhCache.put(Integer.valueOf(4096), new DHParameterSpec(dhP4096, dhG));
-        dhCache.put(Integer.valueOf(6144), new DHParameterSpec(dhP6144, dhG));
-        dhCache.put(Integer.valueOf(8192), new DHParameterSpec(dhP8192, dhG));
+        // from RFC 7296
+        dhCache.put(768, new SafeDHParameterSpec(dhP768, dhG));
+        dhCache.put(1024, new SafeDHParameterSpec(dhP1024, dhG));
+        // from RFC 3526
+        dhCache.put(1536, new SafeDHParameterSpec(dhP1536, dhG));
+        dhCache.put(2048, new SafeDHParameterSpec(dhP2048, dhG));
+        dhCache.put(3072, new SafeDHParameterSpec(dhP3072, dhG));
+        dhCache.put(4096, new SafeDHParameterSpec(dhP4096, dhG));
+        dhCache.put(6144, new SafeDHParameterSpec(dhP6144, dhG));
+        dhCache.put(8192, new SafeDHParameterSpec(dhP8192, dhG));
     }
 }

src/java.base/share/classes/sun/security/ssl/ClientHello.java

@@ -1379,25 +1379,30 @@ final class ClientHello {
                 shc.resumingSession = resumingSession ? previous : null;
             }
 
-            HelloCookieManager hcm =
-                shc.sslContext.getHelloCookieManager(ProtocolVersion.DTLS10);
-            if (!shc.isResumption &&
-                !hcm.isCookieValid(shc, clientHello, clientHello.cookie)) {
-                //
-                // Perform cookie exchange for DTLS handshaking if no cookie
-                // or the cookie is invalid in the ClientHello message.
-                //
-                // update the responders
-                shc.handshakeProducers.put(
-                        SSLHandshake.HELLO_VERIFY_REQUEST.id,
-                        SSLHandshake.HELLO_VERIFY_REQUEST);
 
-                //
-                // produce response handshake message
-                //
-                SSLHandshake.HELLO_VERIFY_REQUEST.produce(context, clientHello);
+            // We will by default exchange DTLS cookies for all handshakes
+            // (new and resumed) unless jdk.tls.enableDtlsResumeCookie=false.
+            // The property only affects the cookie exchange for resumption.
+            if (!shc.isResumption || SSLConfiguration.enableDtlsResumeCookie) {
+                HelloCookieManager hcm =
+                        shc.sslContext.getHelloCookieManager(ProtocolVersion.DTLS10);
+                if (!hcm.isCookieValid(shc, clientHello, clientHello.cookie)) {
+                    //
+                    // Perform cookie exchange for DTLS handshaking if no cookie
+                    // or the cookie is invalid in the ClientHello message.
+                    //
+                    // update the responders
+                    shc.handshakeProducers.put(
+                            SSLHandshake.HELLO_VERIFY_REQUEST.id,
+                            SSLHandshake.HELLO_VERIFY_REQUEST);
 
-                return;
+                    //
+                    // produce response handshake message
+                    //
+                    SSLHandshake.HELLO_VERIFY_REQUEST.produce(context, clientHello);
+
+                    return;
+                }
             }
 
             // cache the client random number for further using

src/java.base/share/classes/sun/security/ssl/PredefinedDHParameterSpecs.java

@@ -33,6 +33,7 @@ import java.util.Map;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import javax.crypto.spec.DHParameterSpec;
+import sun.security.util.SafeDHParameterSpec;
 
 /**
  * Predefined default DH ephemeral parameters.
@@ -280,8 +281,8 @@ final class PredefinedDHParameterSpecs {
                     String baseGenerator = paramsFinder.group(2);
                     BigInteger g = new BigInteger(baseGenerator, 16);
 
-                    DHParameterSpec spec = new DHParameterSpec(p, g);
                     int primeLen = p.bitLength();
+                    DHParameterSpec spec = new DHParameterSpec(p, g);
                     defaultParams.put(primeLen, spec);
                 }
             } else if (SSLLogger.isOn && SSLLogger.isOn("sslctx")) {
@@ -293,7 +294,7 @@ final class PredefinedDHParameterSpecs {
         Map<Integer,DHParameterSpec> tempFFDHEs = new HashMap<>();
         for (BigInteger p : ffdhePrimes) {
             int primeLen = p.bitLength();
-            DHParameterSpec dhps = new DHParameterSpec(p, BigInteger.TWO);
+            DHParameterSpec dhps = new SafeDHParameterSpec(p, BigInteger.TWO);
             tempFFDHEs.put(primeLen, dhps);
             defaultParams.putIfAbsent(primeLen, dhps);
         }
@@ -301,8 +302,8 @@ final class PredefinedDHParameterSpecs {
         for (BigInteger p : supportedPrimes) {
             int primeLen = p.bitLength();
             if (defaultParams.get(primeLen) == null) {
-                defaultParams.put(primeLen,
-                    new DHParameterSpec(p, BigInteger.TWO));
+                defaultParams.put(primeLen, new SafeDHParameterSpec(p,
+                        BigInteger.TWO));
             }
         }
 

src/java.base/share/classes/sun/security/ssl/SSLConfiguration.java

@@ -113,6 +113,9 @@ final class SSLConfiguration implements Cloneable {
     static final int maxCertificateChainLength = GetIntegerAction.privilegedGetProperty(
             "jdk.tls.maxCertificateChainLength", 10);
 
+    static final boolean enableDtlsResumeCookie = Utilities.getBooleanProperty(
+            "jdk.tls.enableDtlsResumeCookie", true);
+
     // Is the extended_master_secret extension supported?
     static {
         boolean supportExtendedMasterSecret = Utilities.getBooleanProperty(

src/java.base/share/classes/sun/security/tools/keytool/Main.java

@@ -47,8 +47,6 @@ import java.security.interfaces.EdECKey;
 import java.security.spec.ECParameterSpec;
 import java.text.Collator;
 import java.text.MessageFormat;
-import java.text.ParseException;
-import java.text.SimpleDateFormat;
 import java.util.*;
 import java.util.function.BiFunction;
 import java.util.jar.JarEntry;
@@ -4924,17 +4922,6 @@ public final class Main {
                                 "Unable.to.parse.denyAfter.string.in.exception.message"));
                     }
 
-                    SimpleDateFormat formatter = new SimpleDateFormat("EEE MMM dd HH:mm:ss Z yyyy");
-                    Date dateObj = null;
-                    try {
-                        dateObj = formatter.parse(denyAfterDate);
-                    } catch (ParseException e2) {
-                        throw new Exception(rb.getString(
-                                "Unable.to.parse.denyAfter.string.in.exception.message"));
-                    }
-                    formatter = new SimpleDateFormat("yyyy-MM-dd");
-                    denyAfterDate = formatter.format(dateObj);
-
                     weakWarnings.add(String.format(
                             rb.getString("whose.sigalg.usagesignedjar"), label, sigAlg,
                             denyAfterDate));

src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2022, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -40,9 +40,12 @@ import java.security.spec.InvalidParameterSpecException;
 import java.security.spec.MGF1ParameterSpec;
 import java.security.spec.NamedParameterSpec;
 import java.security.spec.PSSParameterSpec;
+import java.time.DateTimeException;
+import java.time.Instant;
+import java.time.ZonedDateTime;
+import java.time.ZoneId;
 import java.util.ArrayList;
 import java.util.Arrays;
-import java.util.Calendar;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -52,7 +55,6 @@ import java.util.Map;
 import java.util.Set;
 import java.util.Collection;
 import java.util.StringTokenizer;
-import java.util.TimeZone;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.regex.Pattern;
 import java.util.regex.Matcher;
@@ -700,41 +702,30 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
      * timezone.
      */
     private static class DenyAfterConstraint extends Constraint {
-        private Date denyAfterDate;
+        private ZonedDateTime zdt;
+        private Instant denyAfterDate;
 
         DenyAfterConstraint(String algo, int year, int month, int day) {
-            Calendar c;
 
             algorithm = algo;
 
             if (debug != null) {
-                debug.println("DenyAfterConstraint read in as:  year " +
+                debug.println("DenyAfterConstraint read in as: year " +
                         year + ", month = " + month + ", day = " + day);
             }
 
-            c = new Calendar.Builder().setTimeZone(TimeZone.getTimeZone("GMT"))
-                    .setDate(year, month - 1, day).build();
-
-            if (year > c.getActualMaximum(Calendar.YEAR) ||
-                    year < c.getActualMinimum(Calendar.YEAR)) {
+            try {
+                zdt = ZonedDateTime
+                    .of(year, month, day, 0, 0, 0, 0, ZoneId.of("GMT"));
+                denyAfterDate = zdt.toInstant();
+            } catch (DateTimeException dte) {
                 throw new IllegalArgumentException(
-                        "Invalid year given in constraint: " + year);
-            }
-            if ((month - 1) > c.getActualMaximum(Calendar.MONTH) ||
-                    (month - 1) < c.getActualMinimum(Calendar.MONTH)) {
-                throw new IllegalArgumentException(
-                        "Invalid month given in constraint: " + month);
-            }
-            if (day > c.getActualMaximum(Calendar.DAY_OF_MONTH) ||
-                    day < c.getActualMinimum(Calendar.DAY_OF_MONTH)) {
-                throw new IllegalArgumentException(
-                        "Invalid Day of Month given in constraint: " + day);
+                    "Invalid denyAfter date", dte);
             }
 
-            denyAfterDate = c.getTime();
             if (debug != null) {
                 debug.println("DenyAfterConstraint date set to: " +
-                        denyAfterDate);
+                        zdt.toLocalDate());
             }
         }
 
@@ -749,23 +740,22 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
         @Override
         public void permits(ConstraintsParameters cp)
                 throws CertPathValidatorException {
-            Date currentDate;
-            String errmsg;
+            Instant currentDate;
 
             if (cp.getDate() != null) {
-                currentDate = cp.getDate();
+                currentDate = cp.getDate().toInstant();
             } else {
-                currentDate = new Date();
+                currentDate = Instant.now();
             }
 
-            if (!denyAfterDate.after(currentDate)) {
+            if (!denyAfterDate.isAfter(currentDate)) {
                 if (next(cp)) {
                     return;
                 }
                 throw new CertPathValidatorException(
                         "denyAfter constraint check failed: " + algorithm +
                         " used with Constraint date: " +
-                        denyAfterDate + "; params date: " +
+                        zdt.toLocalDate() + "; params date: " +
                         currentDate + cp.extendedExceptionMsg(),
                         null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
             }
@@ -784,7 +774,7 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
                 debug.println("DenyAfterConstraints.permits(): " + algorithm);
             }
 
-            return denyAfterDate.after(new Date());
+            return denyAfterDate.isAfter(Instant.now());
         }
     }
 

src/java.base/share/classes/sun/security/util/SafeDHParameterSpec.java

@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.util;
+
+import java.math.BigInteger;
+import javax.crypto.spec.DHParameterSpec;
+
+/**
+ * Internal marker class for well-known safe DH parameters. It should
+ * only be used with trusted callers since it does not have all the needed
+ * values for validation.
+ */
+
+public final class SafeDHParameterSpec extends DHParameterSpec {
+    public SafeDHParameterSpec(BigInteger p, BigInteger g) {
+        super(p, g);
+    }
+
+    public SafeDHParameterSpec(BigInteger p, BigInteger g, int l) {
+        super(p, g, l);
+    }
+}

src/java.base/share/classes/sun/security/util/SecurityProviderConstants.java

@@ -30,6 +30,7 @@ import java.util.concurrent.ConcurrentHashMap;
 import java.util.regex.PatternSyntaxException;
 import java.security.InvalidParameterException;
 import java.security.ProviderException;
+import javax.crypto.spec.DHParameterSpec;
 import sun.security.action.GetPropertyAction;
 
 /**
@@ -105,6 +106,42 @@ public final class SecurityProviderConstants {
         }
     }
 
+    public static final int getDefDHPrivateExpSize(DHParameterSpec spec) {
+
+        int dhGroupSize = spec.getP().bitLength();
+
+        if (spec instanceof SafeDHParameterSpec) {
+            // Known safe primes
+            // use 2*security strength as default private exponent size
+            // as in table 2 of NIST SP 800-57 part 1 rev 5, sec 5.6.1.1
+            // and table 25 of NIST SP 800-56A rev 3, appendix D.
+            if (dhGroupSize >= 15360) {
+                return 512;
+            } else if (dhGroupSize >= 8192) {
+                return 400;
+            } else if (dhGroupSize >= 7680) {
+                return 384;
+            } else if (dhGroupSize >= 6144) {
+                return 352;
+            } else if (dhGroupSize >= 4096) {
+                return 304;
+            } else if (dhGroupSize >= 3072) {
+                return 256;
+            } else if (dhGroupSize >= 2048) {
+                return 224;
+            } else {
+                // min value for legacy key sizes
+                return 160;
+            }
+        } else {
+            // assume the worst and use groupSize/2 as private exp length
+            // up to 1024-bit and use the same minimum 384 as before
+            return Math.max((dhGroupSize >= 2048 ? 1024 : dhGroupSize >> 1),
+                    384);
+        }
+
+    }
+
     public static final int DEF_DSA_KEY_SIZE;
     public static final int DEF_RSA_KEY_SIZE;
     public static final int DEF_RSASSA_PSS_KEY_SIZE;

src/java.base/share/native/libjava/jni_util.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2021, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2022, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -885,6 +885,13 @@ getStringUTF8(JNIEnv *env, jstring jstr)
         }
     }
 
+    // Check `jint` overflow
+    if (rlen < 0) {
+        (*env)->ReleasePrimitiveArrayCritical(env, value, str, 0);
+        JNU_ThrowOutOfMemoryError(env, "requested array size exceeds VM limit");
+        return NULL;
+    }
+
     result = MALLOC_MIN4(rlen);
     if (result == NULL) {
         (*env)->ReleasePrimitiveArrayCritical(env, value, str, 0);

src/java.desktop/share/classes/com/sun/imageio/plugins/bmp/BMPImageReader.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2021, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -630,25 +630,20 @@ public class BMPImageReader extends ImageReader implements BMPConstants {
 
             iis.mark();
             iis.skipBytes(profileData - size);
-            byte[] profile = new byte[profileSize];
-            iis.readFully(profile, 0, profileSize);
+            byte[] profile = ReaderUtil.
+                    staggeredReadByteStream(iis, profileSize);
             iis.reset();
 
-            try {
-                if (metadata.colorSpace == PROFILE_LINKED &&
-                    isLinkedProfileAllowed() &&
-                    !isUncOrDevicePath(profile))
-                {
-                    String path = new String(profile, "windows-1252");
+            if (metadata.colorSpace == PROFILE_LINKED &&
+                isLinkedProfileAllowed())
+            {
+                String path = new String(profile, "windows-1252");
 
-                    colorSpace =
-                        new ICC_ColorSpace(ICC_Profile.getInstance(path));
-                } else {
-                    colorSpace =
-                        new ICC_ColorSpace(ICC_Profile.getInstance(profile));
-                }
-            } catch (Exception e) {
-                colorSpace = ColorSpace.getInstance(ColorSpace.CS_sRGB);
+                colorSpace =
+                    new ICC_ColorSpace(ICC_Profile.getInstance(path));
+            } else if (metadata.colorSpace == PROFILE_EMBEDDED) {
+                colorSpace =
+                    new ICC_ColorSpace(ICC_Profile.getInstance(profile));
             }
         }
 
@@ -2063,73 +2058,20 @@ public class BMPImageReader extends ImageReader implements BMPConstants {
         public void readAborted(ImageReader src) {}
     }
 
-    private static Boolean isLinkedProfileDisabled = null;
+    private static Boolean isLinkedProfileAllowed = null;
 
     @SuppressWarnings("removal")
     private static boolean isLinkedProfileAllowed() {
-        if (isLinkedProfileDisabled == null) {
+        if (isLinkedProfileAllowed == null) {
             PrivilegedAction<Boolean> a = new PrivilegedAction<Boolean>() {
                 @Override
                 public Boolean run() {
-                    return Boolean.getBoolean("sun.imageio.plugins.bmp.disableLinkedProfiles");
+                    return Boolean.
+                        getBoolean("sun.imageio.bmp.enableLinkedProfiles");
                 }
             };
-            isLinkedProfileDisabled = AccessController.doPrivileged(a);
-        }
-        return !isLinkedProfileDisabled;
-    }
-
-    private static Boolean isWindowsPlatform = null;
-
-    /**
-     * Verifies whether the byte array contans a unc path.
-     * Non-UNC path examples:
-     *  c:\path\to\file  - simple notation
-     *  \\?\c:\path\to\file - long notation
-     *
-     * UNC path examples:
-     *  \\server\share - a UNC path in simple notation
-     *  \\?\UNC\server\share - a UNC path in long notation
-     *  \\.\some\device - a path to device.
-     */
-    @SuppressWarnings("removal")
-    private static boolean isUncOrDevicePath(byte[] p) {
-        if (isWindowsPlatform == null) {
-            PrivilegedAction<Boolean> a = new PrivilegedAction<Boolean>() {
-                @Override
-                public Boolean run() {
-                    String osname = System.getProperty("os.name");
-                    return (osname != null &&
-                            osname.toLowerCase().startsWith("win"));
-                }
-            };
-            isWindowsPlatform = AccessController.doPrivileged(a);
-        }
-
-        if (!isWindowsPlatform) {
-            /* no need for the check on platforms except windows */
-            return false;
-        }
-
-        /* normalize prefix of the path */
-        if (p[0] == '/') p[0] = '\\';
-        if (p[1] == '/') p[1] = '\\';
-        if (p[3] == '/') p[3] = '\\';
-
-
-        if ((p[0] == '\\') && (p[1] == '\\')) {
-            if ((p[2] == '?') && (p[3] == '\\')) {
-                // long path: whether unc or local
-                return ((p[4] == 'U' || p[4] == 'u') &&
-                        (p[5] == 'N' || p[5] == 'n') &&
-                        (p[6] == 'C' || p[6] == 'c'));
-            } else {
-                // device path or short unc notation
-                return true;
-            }
-        } else {
-            return false;
+            isLinkedProfileAllowed = AccessController.doPrivileged(a);
         }
+        return isLinkedProfileAllowed;
     }
 }
-

src/java.desktop/share/classes/com/sun/media/sound/JARSoundbankReader.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2007, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2022, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -48,6 +48,13 @@ import sun.reflect.misc.ReflectUtil;
  */
 public final class JARSoundbankReader extends SoundbankReader {
 
+    /*
+     * Name of the system property that enables the Jar soundbank loading
+     * true if jar sound bank is allowed to be loaded
+     * default is false
+     */
+    private final static String JAR_SOUNDBANK_ENABLED = "jdk.sound.jarsoundbank";
+
     private static boolean isZIP(URL url) {
         boolean ok = false;
         try {
@@ -73,8 +80,10 @@ public final class JARSoundbankReader extends SoundbankReader {
     @SuppressWarnings("deprecation")
     public Soundbank getSoundbank(URL url)
             throws InvalidMidiDataException, IOException {
-        if (!isZIP(url))
+        Objects.requireNonNull(url);
+        if (!Boolean.getBoolean(JAR_SOUNDBANK_ENABLED) || !isZIP(url))
             return null;
+
         ArrayList<Soundbank> soundbanks = new ArrayList<>();
         URLClassLoader ucl = URLClassLoader.newInstance(new URL[]{url});
         InputStream stream = ucl.getResourceAsStream(
@@ -124,6 +133,7 @@ public final class JARSoundbankReader extends SoundbankReader {
     @Override
     public Soundbank getSoundbank(File file)
             throws InvalidMidiDataException, IOException {
+        Objects.requireNonNull(file);
         return getSoundbank(file.toURI().toURL());
     }
 }

src/java.desktop/share/classes/javax/swing/text/html/ObjectView.java

@@ -91,13 +91,15 @@ public class ObjectView extends ComponentView  {
         String classname = (String) attr.getAttribute(HTML.Attribute.CLASSID);
         try {
             ReflectUtil.checkPackageAccess(classname);
-            Class<?> c = Class.forName(classname, true,Thread.currentThread().
+            Class<?> c = Class.forName(classname, false,Thread.currentThread().
                                        getContextClassLoader());
-            Object o = c.newInstance();
-            if (o instanceof Component) {
-                Component comp = (Component) o;
-                setParameters(comp, attr);
-                return comp;
+            if (Component.class.isAssignableFrom(c)) {
+                Object o = c.newInstance();
+                if (o instanceof Component) {
+                    Component comp = (Component) o;
+                    setParameters(comp, attr);
+                    return comp;
+                }
             }
         } catch (Throwable e) {
             // couldn't create a component... fall through to the

src/java.desktop/windows/native/libawt/windows/awt_Font.cpp

@@ -25,6 +25,7 @@
 
 #include "awt.h"
 #include <math.h>
+#include <strsafe.h>
 #include "jlong.h"
 #include "awt_Font.h"
 #include "awt_Toolkit.h"
@@ -287,7 +288,6 @@ AwtFont* AwtFont::Create(JNIEnv *env, jobject font, jint angle, jfloat awScale)
                 return NULL;
             }
             LPCWSTR textComponentFontName = JNU_GetStringPlatformChars(env, jTextComponentFontName, NULL);
-
             awtFont->m_textInput = -1;
             for (int i = 0; i < cfnum; i++) {
                 // nativeName is a pair of platform fontname and its charset
@@ -463,7 +463,7 @@ static HFONT CreateHFont_sub(LPCWSTR name, int style, int height,
 
     // Set font name
     WCHAR tmpname[80];
-    wcscpy(tmpname, name);
+    StringCchCopy(tmpname, 80, name);
     WCHAR* delimit = wcschr(tmpname, L',');
     if (delimit != NULL)
         *delimit = L'\0';  // terminate the string after the font name.
@@ -471,7 +471,7 @@ static HFONT CreateHFont_sub(LPCWSTR name, int style, int height,
     strip_tail(tmpname,L""); //strip possible trailing whitespace
     strip_tail(tmpname,L"Italic");
     strip_tail(tmpname,L"Bold");
-    wcscpy(&(logFont.lfFaceName[0]), tmpname);
+    StringCchCopy(&(logFont.lfFaceName[0]), LF_FACESIZE, tmpname);
     HFONT hFont = ::CreateFontIndirect(&logFont);
     DASSERT(hFont != NULL);
     // get a expanded or condensed version if its specified.
@@ -502,7 +502,7 @@ HFONT AwtFont::CreateHFont(WCHAR* name, int style, int height,
     // 80 > (max face name(=30) + strlen("CHINESEBIG5_CHARSET"))
     // longName doesn't have to be printable.  So, it is OK not to convert.
 
-    wsprintf(longName, L"%ls-%d-%d", name, style, height);
+    StringCchPrintf(longName, 80, L"%ls-%d-%d", name, style, height);
 
     HFONT hFont = NULL;
 
@@ -1750,12 +1750,12 @@ LPSTR CCombinedSegTable::GetCodePageSubkey()
     lpszCP++; // cf lpszCP = "932"
 
     char szSubKey[KEYLEN];
-    strcpy(szSubKey, "EUDC\\");
+    StringCchCopyA(szSubKey, KEYLEN, "EUDC\\");
     if ((strlen(szSubKey) + strlen(lpszCP)) >= KEYLEN) {
         return NULL;
     }
-    strcpy(&(szSubKey[strlen(szSubKey)]), lpszCP);
-    strcpy(m_szCodePageSubkey, szSubKey);
+    StringCchCatA(szSubKey, KEYLEN, lpszCP);
+    StringCchCopyA(m_szCodePageSubkey, KEYLEN, szSubKey);
     return m_szCodePageSubkey;
 }
 
@@ -1780,7 +1780,7 @@ void CCombinedSegTable::GetEUDCFileName(LPWSTR lpszFileName, int cchFileName)
 
     // get EUDC font file name
     WCHAR szFamilyName[80];
-    wcscpy(szFamilyName, GetFontName());
+    StringCchCopy(szFamilyName, 80, GetFontName());
     WCHAR* delimit = wcschr(szFamilyName, L',');
     if (delimit != NULL)
         *delimit = L'\0';
@@ -1799,7 +1799,7 @@ void CCombinedSegTable::GetEUDCFileName(LPWSTR lpszFileName, int cchFileName)
         if (m_fTTEUDCFileExist == FALSE)
             return;
         if (wcslen(m_szDefaultEUDCFile) > 0) {
-            wcscpy(lpszFileName, m_szDefaultEUDCFile);
+            StringCchCopy(lpszFileName, cchFileName, m_szDefaultEUDCFile);
             return;
         }
         char szDefault[] = "SystemDefaultEUDCFont";
@@ -1825,7 +1825,7 @@ void CCombinedSegTable::GetEUDCFileName(LPWSTR lpszFileName, int cchFileName)
     VERIFY(::MultiByteToWideChar(CP_ACP, 0,
         (LPCSTR)szFileName, -1, lpszFileName, cchFileName) != 0);
     if (fUseDefault)
-        wcscpy(m_szDefaultEUDCFile, lpszFileName);
+        StringCchCopy(m_szDefaultEUDCFile, _MAX_PATH, lpszFileName);
 }
 
 void CCombinedSegTable::Create(LPCWSTR name)

src/java.desktop/windows/native/libawt/windows/awt_PrintJob.cpp

@@ -24,6 +24,7 @@
  */
 
 #include "awt.h"
+#include <strsafe.h>
 #include <math.h>
 #include <windef.h>
 #include <wtypes.h>
@@ -2408,7 +2409,7 @@ static jboolean jFontToWFontW(JNIEnv *env, HDC printDC, jstring fontName,
     size_t nameLen = wcslen(fontNameW);
     if (nameLen < (sizeof(lf.lfFaceName) / sizeof(lf.lfFaceName[0]))) {
 
-        wcscpy(lf.lfFaceName, fontNameW);
+        StringCchCopyW(lf.lfFaceName, LF_FACESIZE, fontNameW);
 
         lf.lfCharSet = DEFAULT_CHARSET;
         lf.lfPitchAndFamily = 0;

src/java.desktop/windows/native/libfontmanager/fontpath.c

@@ -24,6 +24,7 @@
  */
 
 #include <windows.h>
+#include <strsafe.h>
 #include <stdio.h>
 
 #include <jni.h>
@@ -63,20 +64,20 @@ JNIEXPORT jstring JNICALL Java_sun_awt_Win32FontManager_getFontPath(JNIEnv *env,
     end = strrchr(sysdir,'\\');
     if (end && (stricmp(end,"\\System") || stricmp(end,"\\System32"))) {
         *end = 0;
-         strcat(sysdir, "\\Fonts");
+        StringCchCatA(sysdir, BSIZE, "\\Fonts");
     }
 
     GetWindowsDirectory(windir, BSIZE);
     if (strlen(windir) > BSIZE-7) {
         *windir = 0;
     } else {
-        strcat(windir, "\\Fonts");
+        StringCchCatA(windir, BSIZE, "\\Fonts");
     }
 
-    strcpy(fontpath,sysdir);
+    StringCchCopyA(fontpath, BSIZE*2, sysdir);
     if (stricmp(sysdir,windir)) {
-        strcat(fontpath,";");
-        strcat(fontpath,windir);
+        StringCchCatA(fontpath, BSIZE*2, ";");
+        StringCchCatA(fontpath, BSIZE*2, windir);
     }
 
     return JNU_NewStringPlatform(env, fontpath);
@@ -152,7 +153,7 @@ static int DifferentFamily(wchar_t *family, wchar_t* fullName) {
     info.isDifferent = 0;
 
     memset(&lfw, 0, sizeof(lfw));
-    wcscpy(lfw.lfFaceName, fullName);
+    StringCchCopyW(lfw.lfFaceName, LF_FACESIZE, fullName);
     lfw.lfCharSet = DEFAULT_CHARSET;
     EnumFontFamiliesExW(screenDC, &lfw,
                         (FONTENUMPROCW)CheckFontFamilyProcW,
@@ -349,7 +350,7 @@ static int CALLBACK EnumFamilyNamesW(
     }
 
     memset(&lfw, 0, sizeof(lfw));
-    wcscpy(lfw.lfFaceName, lpelfe->elfLogFont.lfFaceName);
+    StringCchCopyW(lfw.lfFaceName, LF_FACESIZE, lpelfe->elfLogFont.lfFaceName);
     lfw.lfCharSet = lpelfe->elfLogFont.lfCharSet;
     EnumFontFamiliesExW(screenDC, &lfw,
                         (FONTENUMPROCW)EnumFontFacesInFamilyProcW,
@@ -653,7 +654,7 @@ Java_sun_awt_Win32FontManager_populateFontFileNameMap0
     /* Enumerate fonts via GDI to build maps of fonts and families */
     memset(&lfw, 0, sizeof(lfw));
     lfw.lfCharSet = DEFAULT_CHARSET;  /* all charsets */
-    wcscpy(lfw.lfFaceName, L"");      /* one face per family (CHECK) */
+    StringCchCopyW(lfw.lfFaceName, LF_FACESIZE, L"");      /* one face per family (CHECK) */
     EnumFontFamiliesExW(screenDC, &lfw,
                         (FONTENUMPROCW)EnumFamilyNamesW,
                         (LPARAM)(&fmi), 0L);

src/java.desktop/windows/native/libfontmanager/lcdglyph.c

@@ -48,6 +48,7 @@
 #include <stdio.h>
 #include <malloc.h>
 #include <math.h>
+#include <strsafe.h>
 #include <windows.h>
 #include <winuser.h>
 
@@ -236,7 +237,7 @@ Java_sun_font_FileFontStrike__1getGlyphImageFromWindows
     name[nameLen] = '\0';
 
     if (nameLen < (sizeof(lf.lfFaceName) / sizeof(lf.lfFaceName[0]))) {
-        wcscpy(lf.lfFaceName, name);
+        StringCchCopyW(lf.lfFaceName, LF_FACESIZE, name);
     } else {
         FREE_AND_RETURN;
     }

src/jdk.localedata/share/classes/sun/util/resources/ext/CurrencyNames_hr_HR.properties

@@ -1,5 +1,5 @@
 # 
-# Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2005, 2023, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -35,4 +35,5 @@
 # This notice and attribution to Taligent may not be removed.
 # Taligent is a registered trademark of Taligent, Inc.
 
+EUR=\u20AC
 HRK=Kn

test/jdk/ProblemList.txt

@@ -1,6 +1,6 @@
 ###########################################################################
 #
-# Copyright (c) 2009, 2021, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2009, 2023, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it

test/jdk/java/security/SignedJar/CustomClassLoader.java

@@ -0,0 +1,43 @@
+/*
+ * Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.io.IOException;
+import java.io.InputStream;
+
+public class CustomClassLoader extends ClassLoader {
+
+    public CustomClassLoader(ClassLoader parent) {
+        super(parent);
+    }
+
+    @Override
+    public Class<?> findClass(String name) throws ClassNotFoundException {
+        try (InputStream is = getClass().getClassLoader()
+                .getResourceAsStream(name + ".class")) {
+            byte[] buf = is.readAllBytes();
+            return defineClass(name, buf, 0, buf.length);
+        } catch (IOException e) {
+            throw new ClassNotFoundException(e.getMessage());
+        }
+    }
+}

test/jdk/java/security/SignedJar/SignedJarWithCustomClassLoader.java

@@ -0,0 +1,94 @@
+/*
+ * Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/**
+ * @test
+ * @bug 8280890
+ * @library /test/lib
+ * @build SignedJarWithCustomClassLoader CustomClassLoader
+ * @run main/othervm SignedJarWithCustomClassLoader
+ * @summary Make sure java.system.class.loader property can be used when custom
+ *     class loader is inside signed jar
+ */
+
+import java.nio.file.Path;
+import java.nio.file.Paths;
+
+import jdk.test.lib.SecurityTools;
+import jdk.test.lib.compiler.InMemoryJavaCompiler;
+import jdk.test.lib.helpers.ClassFileInstaller;
+import jdk.test.lib.process.ProcessTools;
+import jdk.test.lib.util.JarUtils;
+
+public class SignedJarWithCustomClassLoader {
+
+    public static void main(String[] args) throws Exception {
+
+        // compile the Main program
+        String main = """
+                      public class Main {
+                          public static void main(String[] args) {}
+                      }
+                      """;
+        String testClasses = System.getProperty("test.classes", "");
+        ClassFileInstaller.writeClassToDisk("Main",
+             InMemoryJavaCompiler.compile("Main", main),
+             testClasses);
+
+        // create the jar file
+        Path classes = Paths.get(testClasses);
+        JarUtils.createJarFile(Paths.get("test.jar"), classes,
+            classes.resolve("CustomClassLoader.class"),
+            classes.resolve("Main.class"));
+
+        // create signer's keypair
+        SecurityTools.keytool("-genkeypair -keyalg RSA -keystore ks " +
+                              "-storepass changeit -dname CN=test -alias test")
+                     .shouldHaveExitValue(0);
+
+        // sign jar
+        SecurityTools.jarsigner("-keystore ks -storepass changeit " +
+                                "-signedjar signed.jar test.jar test")
+                     .shouldHaveExitValue(0);
+
+        // run app with system class loader set to custom classloader
+        ProcessBuilder pb = ProcessTools.createJavaProcessBuilder(
+            "-cp", "signed.jar",
+            "-Djava.system.class.loader=CustomClassLoader", "Main");
+        ProcessTools.executeProcess(pb)
+                    .shouldHaveExitValue(0);
+
+        // sign jar again, but this time with SHA-1 which is disabled
+        SecurityTools.jarsigner("-keystore ks -storepass changeit " +
+                                "-digestalg SHA-1 -sigalg SHA1withRSA " +
+                                "-signedjar signed.jar test.jar test")
+                     .shouldHaveExitValue(0);
+
+        // run app again, should still succeed even though SHA-1 is disabled
+        pb = ProcessTools.createJavaProcessBuilder(
+            "-cp", "signed.jar",
+            "-Djava.system.class.loader=CustomClassLoader", "Main");
+        ProcessTools.executeProcess(pb)
+                    .shouldHaveExitValue(0);
+    }
+}

test/jdk/java/text/Format/NumberFormat/CurrencySymbols.properties

@@ -79,7 +79,7 @@ fr_FR=\u20AC
 fr_LU=\u20AC
 hi_IN=\u0930\u0942
 hr=\u00A4
-hr_HR=Kn
+hr_HR=\u20AC
 hu=\u00A4
 hu_HU=Ft
 is=\u00A4
@@ -94,9 +94,9 @@ ja_JP=\uFFE5
 ko=\u00A4
 ko_KR=\uFFE6
 lt=\u00A4
-lt_LT=Lt;2014-12-31-22-00-00;\u20AC
+lt_LT=\u20AC
 lv=\u00A4
-lv_LV=Ls;2013-12-31-22-00-00;\u20AC
+lv_LV=\u20AC
 mk=\u00A4
 mk_MK=Den
 nl=\u00A4

test/jdk/java/util/Currency/ValidateISO4217.java

@@ -24,7 +24,7 @@
  * @test
  * @bug 4691089 4819436 4942982 5104960 6544471 6627549 7066203 7195759
  *      8039317 8074350 8074351 8145952 8187946 8193552 8202026 8204269
- *      8208746 8209775 8264792 8274658 8283277
+ *      8208746 8209775 8264792 8274658 8283277 8296239
  * @summary Validate ISO 4217 data for Currency class.
  * @modules java.base/java.util:open
  *          jdk.localedata
@@ -34,7 +34,7 @@
  * ############################################################################
  *
  *  ValidateISO4217 is a tool to detect differences between the latest ISO 4217
- *  data and and Java's currency data which is based on ISO 4217.
+ *  data and Java's currency data which is based on ISO 4217.
  *  If there is a difference, the following file which includes currency data
  *  may need to be updated.
  *      src/share/classes/java/util/CurrencyData.properties

test/jdk/java/util/Currency/tablea1.txt

@@ -1,12 +1,12 @@
 #
 #
-# Amendments up until ISO 4217 AMENDMENT NUMBER 173
-#   (As of 23 September 2022)
+# Amendments up until ISO 4217 AMENDMENT NUMBER 174
+#   (As of 2 November 2022)
 #
 
 # Version
 FILEVERSION=3
-DATAVERSION=173
+DATAVERSION=174
 
 # ISO 4217 currency data
 AF	AFN	971	2
@@ -67,7 +67,7 @@ CD	CDF	976	2
 CK	NZD	554	2
 CR	CRC	188	2
 CI	XOF	952	0
-HR	HRK	191	2
+HR	HRK	191	2	2022-12-31-23-00-00	EUR	978	2
 CU	CUP	192	2
 CW	ANG	532	2
 CY	EUR	978	2