bug#68333: Time bomb in icedtea/openjdk

[Rostislav Svoboda]

> I couldn’t find ‘GenerateCurrencyData.java’ though, not sure where it lives.

bost@ecke /tmp/guix-build-icedtea-2.6.13.drv-0$ fd GenerateCurrencyData.java
icedtea-2.6.13/openjdk/jdk/make/tools/src/build/tools/generatecurrencydata/GenerateCurrencyData.java
icedtea-2.6.13/openjdk-boot/jdk/make/tools/src/build/tools/generatecurrencydata/GenerateCurrencyData.java
icedtea-2.6.13/openjdk.src/jdk/make/tools/src/build/tools/generatecurrencydata/GenerateCurrencyData.java

bost@ecke /tmp/guix-build-icedtea-2.6.13.drv-0$ fd
GenerateCurrencyData.java | xargs sha1sum
e819f2a934acca80a8eee42434459c70ad1bbf76
icedtea-2.6.13/openjdk/jdk/make/tools/src/build/tools/generatecurrencydata/GenerateCurrencyData.java
e819f2a934acca80a8eee42434459c70ad1bbf76
icedtea-2.6.13/openjdk-boot/jdk/make/tools/src/build/tools/generatecurrencydata/GenerateCurrencyData.java
e819f2a934acca80a8eee42434459c70ad1bbf76
icedtea-2.6.13/openjdk.src/jdk/make/tools/src/build/tools/generatecurrencydata/GenerateCurrencyData.java

bost@ecke /tmp/guix-build-icedtea-2.6.13.drv-0$ rg -N -B 30 -A 12
'time is more than 10 years from present'
icedtea-2.6.13/openjdk.src/jdk/make/tools/src/build/tools/generatecurrencydata/GenerateCurrencyData.java
    private static int makeSpecialCaseEntry(String currencyInfo)
throws Exception {
        Integer oldEntry = specialCaseMap.get(currencyInfo);
        if (oldEntry != null) {
            return oldEntry.intValue();
        }
        if (specialCaseCount == maxSpecialCases) {
            throw new RuntimeException("too many special cases");
        }
        if (currencyInfo.length() == 3) {
            checkCurrencyCode(currencyInfo);
            specialCaseCutOverTimes[specialCaseCount] = Long.MAX_VALUE;
            specialCaseOldCurrencies[specialCaseCount] = currencyInfo;
            specialCaseOldCurrenciesDefaultFractionDigits[specialCaseCount]
= getDefaultFractionDigits(currencyInfo);
            specialCaseOldCurrenciesNumericCode[specialCaseCount] =
getNumericCode(currencyInfo);
            specialCaseNewCurrencies[specialCaseCount] = null;
            specialCaseNewCurrenciesDefaultFractionDigits[specialCaseCount] = 0;
            specialCaseNewCurrenciesNumericCode[specialCaseCount] = 0;
        } else {
            int length = currencyInfo.length();
            if (currencyInfo.charAt(3) != ';' ||
                    currencyInfo.charAt(length - 4) != ';') {
                throw new RuntimeException("invalid currency info: " +
currencyInfo);
            }
            String oldCurrency = currencyInfo.substring(0, 3);
            String newCurrency = currencyInfo.substring(length - 3, length);
            checkCurrencyCode(oldCurrency);
            checkCurrencyCode(newCurrency);
            String timeString = currencyInfo.substring(4, length - 4);
            long time = format.parse(timeString).getTime();
            if (Math.abs(time - System.currentTimeMillis()) > ((long)
10) * 365 * 24 * 60 * 60 * 1000) {
                throw new RuntimeException("time is more than 10 years
from present: " + time);
            }
            specialCaseCutOverTimes[specialCaseCount] = time;
            specialCaseOldCurrencies[specialCaseCount] = oldCurrency;
            specialCaseOldCurrenciesDefaultFractionDigits[specialCaseCount]
= getDefaultFractionDigits(oldCurrency);
            specialCaseOldCurrenciesNumericCode[specialCaseCount] =
getNumericCode(oldCurrency);
            specialCaseNewCurrencies[specialCaseCount] = newCurrency;
            specialCaseNewCurrenciesDefaultFractionDigits[specialCaseCount]
= getDefaultFractionDigits(newCurrency);
            specialCaseNewCurrenciesNumericCode[specialCaseCount] =
getNumericCode(newCurrency);
        }
        specialCaseMap.put(currencyInfo, new Integer(specialCaseCount));
        return specialCaseCount++;
    }