JNI: cast offset/length to jlong before addition in bounds checks (F-1521 / F-1523)

cconlon · cconlon · commit b9e0a914719a · 2026-03-30T12:22:05.000-06:00
diff --git a/jni/jni_aes.c b/jni/jni_aes.c
@@ -128,11 +128,11 @@ Java_com_wolfssl_wolfcrypt_Aes_native_1update_1internal__I_3BII_3BI(
     }
     else if (length == 0) {
         ret = 0;
-    } else if ((word32)(offset + length) >
+    } else if (((jlong)offset + (jlong)length) >
              getByteArrayLength(env, input_object)) {
         ret = BUFFER_E; /* buffer overflow check */
     }
-    else if ((word32)(outputOffset + length) >
+    else if (((jlong)outputOffset + (jlong)length) >
              getByteArrayLength(env, output_object)) {
         ret = BUFFER_E; /* buffer overflow check */
     }
@@ -196,11 +196,11 @@ Java_com_wolfssl_wolfcrypt_Aes_native_1update_1internal__ILjava_nio_ByteBuffer_2
     else if (offset < 0 || length < 0) {
         ret = BAD_FUNC_ARG; /* signed sanizizers */
     }
-    else if ((word32)(offset + length) >
+    else if (((jlong)offset + (jlong)length) >
              getDirectBufferLimit(env, input_object)) {
         ret = BUFFER_E; /* buffer overflow check */
     }
-    else if ((word32)(outputOffset + length) >
+    else if (((jlong)outputOffset + (jlong)length) >
              getDirectBufferLimit(env, output_object)) {
         ret = BUFFER_E; /* buffer overflow check */
     }
diff --git a/jni/jni_aescmac.c b/jni/jni_aescmac.c
@@ -183,7 +183,7 @@ JNIEXPORT void JNICALL Java_com_wolfssl_wolfcrypt_AesCmac_wc_1CmacUpdate___3BII(
 
     /* Validate bounds to prevent buffer overflow */
     if (!cmac || !data || offset < 0 || length < 0 ||
-        (word32)(offset + length) > dataSz) {
+        ((jlong)offset + (jlong)length) > dataSz) {
         ret = BAD_FUNC_ARG;
     } else {
         ret = wc_CmacUpdate(cmac, data + offset, length);
@@ -222,7 +222,7 @@ JNIEXPORT void JNICALL Java_com_wolfssl_wolfcrypt_AesCmac_wc_1CmacUpdate__Ljava_
 
     /* Validate bounds to prevent buffer overflow */
     if (!cmac || !data || offset < 0 || length < 0 ||
-        (word32)(offset + length) > bufferLimit) {
+        ((jlong)offset + (jlong)length) > bufferLimit) {
         ret = BAD_FUNC_ARG;
     } else {
         ret = wc_CmacUpdate(cmac, data + offset, length);
diff --git a/jni/jni_aesctr.c b/jni/jni_aesctr.c
@@ -133,11 +133,11 @@ Java_com_wolfssl_wolfcrypt_AesCtr_native_1update_1internal___3BII_3BI(
     else if (length == 0) {
         ret = 0;
     }
-    else if ((word32)(offset + length) >
+    else if (((jlong)offset + (jlong)length) >
              getByteArrayLength(env, input_object)) {
         ret = BUFFER_E; /* buffer overflow check */
     }
-    else if ((word32)(outputOffset + length) >
+    else if (((jlong)outputOffset + (jlong)length) >
              getByteArrayLength(env, output_object)) {
         ret = BUFFER_E; /* buffer overflow check */
     }
@@ -196,11 +196,11 @@ Java_com_wolfssl_wolfcrypt_AesCtr_native_1update_1internal__Ljava_nio_ByteBuffer
     else if (offset < 0 || length < 0) {
         ret = BAD_FUNC_ARG;
     }
-    else if ((word32)(offset + length) >
+    else if (((jlong)offset + (jlong)length) >
              getDirectBufferLimit(env, input_object)) {
         ret = BUFFER_E; /* buffer overflow check */
     }
-    else if ((word32)(outputOffset + length) >
+    else if (((jlong)outputOffset + (jlong)length) >
              getDirectBufferLimit(env, output_object)) {
         ret = BUFFER_E; /* buffer overflow check */
     }
diff --git a/jni/jni_aescts.c b/jni/jni_aescts.c
@@ -161,11 +161,11 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_wolfcrypt_AesCts_native_1update_1interna
         /* CTS requires at least one block of input */
         ret = BUFFER_E;
     }
-    else if ((word32)(offset + length) >
+    else if (((jlong)offset + (jlong)length) >
         getByteArrayLength(env, input_object)) {
         ret = BUFFER_E; /* buffer overflow check */
     }
-    else if ((word32)(outputOffset + length) >
+    else if (((jlong)outputOffset + (jlong)length) >
         getByteArrayLength(env, output_object)) {
         ret = BUFFER_E; /* buffer overflow check */
     }
@@ -273,11 +273,11 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_wolfcrypt_AesCts_native_1update_1interna
         /* CTS requires at least one block of input */
         ret = BUFFER_E;
     }
-    else if ((word32)(offset + length) >
+    else if (((jlong)offset + (jlong)length) >
         getDirectBufferLimit(env, input_object)) {
         ret = BUFFER_E;
     }
-    else if ((word32)(outputOffset + length) >
+    else if (((jlong)outputOffset + (jlong)length) >
         getDirectBufferLimit(env, output_object)) {
         ret = BUFFER_E;
     }
diff --git a/jni/jni_aesecb.c b/jni/jni_aesecb.c
@@ -134,11 +134,11 @@ Java_com_wolfssl_wolfcrypt_AesEcb_native_1update_1internal__I_3BII_3BI(
     else if ((length % AES_BLOCK_SIZE) != 0) {
         ret = BAD_FUNC_ARG; /* ECB requires block-aligned data */
     }
-    else if ((word32)(offset + length) >
+    else if (((jlong)offset + (jlong)length) >
              getByteArrayLength(env, input_object)) {
         ret = BUFFER_E; /* buffer overflow check */
     }
-    else if ((word32)(outputOffset + length) >
+    else if (((jlong)outputOffset + (jlong)length) >
              getByteArrayLength(env, output_object)) {
         ret = BUFFER_E; /* buffer overflow check */
     }
@@ -205,11 +205,11 @@ Java_com_wolfssl_wolfcrypt_AesEcb_native_1update_1internal__ILjava_nio_ByteBuffe
     else if ((length % AES_BLOCK_SIZE) != 0) {
         ret = BAD_FUNC_ARG; /* ECB requires block-aligned data */
     }
-    else if ((word32)(offset + length) >
+    else if (((jlong)offset + (jlong)length) >
              getDirectBufferLimit(env, input_object)) {
         ret = BUFFER_E; /* buffer overflow check */
     }
-    else if ((word32)(outputOffset + length) >
+    else if (((jlong)outputOffset + (jlong)length) >
              getDirectBufferLimit(env, output_object)) {
         ret = BUFFER_E; /* buffer overflow check */
     }
diff --git a/jni/jni_aesofb.c b/jni/jni_aesofb.c
@@ -134,11 +134,11 @@ Java_com_wolfssl_wolfcrypt_AesOfb_native_1update_1internal__I_3BII_3BI(
     else if (length == 0) {
         ret = 0;
     }
-    else if ((word32)(offset + length) >
+    else if (((jlong)offset + (jlong)length) >
              getByteArrayLength(env, input_object)) {
         ret = BUFFER_E; /* buffer overflow check */
     }
-    else if ((word32)(outputOffset + length) >
+    else if (((jlong)outputOffset + (jlong)length) >
              getByteArrayLength(env, output_object)) {
         ret = BUFFER_E; /* buffer overflow check */
     }
@@ -210,11 +210,11 @@ Java_com_wolfssl_wolfcrypt_AesOfb_native_1update_1internal__ILjava_nio_ByteBuffe
     else if (offset < 0 || length < 0) {
         ret = BAD_FUNC_ARG;
     }
-    else if ((word32)(offset + length) >
+    else if (((jlong)offset + (jlong)length) >
              getDirectBufferLimit(env, input_object)) {
         ret = BUFFER_E; /* buffer overflow check */
     }
-    else if ((word32)(outputOffset + length) >
+    else if (((jlong)outputOffset + (jlong)length) >
              getDirectBufferLimit(env, output_object)) {
         ret = BUFFER_E; /* buffer overflow check */
     }
diff --git a/jni/jni_des3.c b/jni/jni_des3.c
@@ -123,11 +123,11 @@ Java_com_wolfssl_wolfcrypt_Des3_native_1update_1internal__I_3BII_3BI(
     else if (offset < 0 || length < 0 || outputOffset < 0) {
         ret = BAD_FUNC_ARG; /* signed sanizizers */
     }
-    else if ((word32)(offset + length) >
+    else if (((jlong)offset + (jlong)length) >
              getByteArrayLength(env, input_object)) {
         ret = BUFFER_E; /* buffer overflow check */
     }
-    else if ((word32)(outputOffset + length) >
+    else if (((jlong)outputOffset + (jlong)length) >
              getByteArrayLength(env, output_object)) {
         ret = BUFFER_E; /* buffer overflow check */
     }
@@ -190,11 +190,11 @@ Java_com_wolfssl_wolfcrypt_Des3_native_1update_1internal__ILjava_nio_ByteBuffer_
     else if (offset < 0 || length < 0) {
         ret = BAD_FUNC_ARG; /* signed sanizizers */
     }
-    else if ((word32)(offset + length) >
+    else if (((jlong)offset + (jlong)length) >
              getDirectBufferLimit(env, input_object)) {
         ret = BUFFER_E; /* buffer overflow check */
     }
-    else if ((word32)(outputOffset + length) >
+    else if (((jlong)outputOffset + (jlong)length) >
              getDirectBufferLimit(env, output_object)) {
         ret = BUFFER_E; /* buffer overflow check */
     }
diff --git a/jni/jni_rng.c b/jni/jni_rng.c
@@ -173,7 +173,7 @@ JNIEXPORT void JNICALL Java_com_wolfssl_wolfcrypt_Rng_rngGenerateBlock___3BII(
 
     if (rng == NULL || buffer == NULL ||
         offset < 0 || length < 0 ||
-        ((word32)(offset + length) > bufferSz)) {
+        (((jlong)offset + (jlong)length) > bufferSz)) {
         ret = BAD_FUNC_ARG;
     }
 

Original file line number	Diff line number	Diff line change
`@@ -128,11 +128,11 @@ Java_com_wolfssl_wolfcrypt_Aes_native_1update_1internal__I_3BII_3BI(`
`128`	`128`	`}`
`129`	`129`	`else if (length == 0) {`
`130`	`130`	`ret = 0;`
`131`		`- } else if ((word32)(offset + length) >`
	`131`	`+ } else if (((jlong)offset + (jlong)length) >`
`132`	`132`	`getByteArrayLength(env, input_object)) {`
`133`	`133`	`ret = BUFFER_E; /* buffer overflow check */`
`134`	`134`	`}`
`135`		`- else if ((word32)(outputOffset + length) >`
	`135`	`+ else if (((jlong)outputOffset + (jlong)length) >`
`136`	`136`	`getByteArrayLength(env, output_object)) {`
`137`	`137`	`ret = BUFFER_E; /* buffer overflow check */`
`138`	`138`	`}`
`@@ -196,11 +196,11 @@ Java_com_wolfssl_wolfcrypt_Aes_native_1update_1internal__ILjava_nio_ByteBuffer_2`
`196`	`196`	`else if (offset < 0 \|\| length < 0) {`
`197`	`197`	`ret = BAD_FUNC_ARG; /* signed sanizizers */`
`198`	`198`	`}`
`199`		`- else if ((word32)(offset + length) >`
	`199`	`+ else if (((jlong)offset + (jlong)length) >`
`200`	`200`	`getDirectBufferLimit(env, input_object)) {`
`201`	`201`	`ret = BUFFER_E; /* buffer overflow check */`
`202`	`202`	`}`
`203`		`- else if ((word32)(outputOffset + length) >`
	`203`	`+ else if (((jlong)outputOffset + (jlong)length) >`
`204`	`204`	`getDirectBufferLimit(env, output_object)) {`
`205`	`205`	`ret = BUFFER_E; /* buffer overflow check */`
`206`	`206`	`}`
Original file line number	Diff line number	Diff line change
`@@ -133,11 +133,11 @@ Java_com_wolfssl_wolfcrypt_AesCtr_native_1update_1internal___3BII_3BI(`
`133`	`133`	`else if (length == 0) {`
`134`	`134`	`ret = 0;`
`135`	`135`	`}`
`136`		`- else if ((word32)(offset + length) >`
	`136`	`+ else if (((jlong)offset + (jlong)length) >`
`137`	`137`	`getByteArrayLength(env, input_object)) {`
`138`	`138`	`ret = BUFFER_E; /* buffer overflow check */`
`139`	`139`	`}`
`140`		`- else if ((word32)(outputOffset + length) >`
	`140`	`+ else if (((jlong)outputOffset + (jlong)length) >`
`141`	`141`	`getByteArrayLength(env, output_object)) {`
`142`	`142`	`ret = BUFFER_E; /* buffer overflow check */`
`143`	`143`	`}`
`@@ -196,11 +196,11 @@ Java_com_wolfssl_wolfcrypt_AesCtr_native_1update_1internal__Ljava_nio_ByteBuffer`
`196`	`196`	`else if (offset < 0 \|\| length < 0) {`
`197`	`197`	`ret = BAD_FUNC_ARG;`
`198`	`198`	`}`
`199`		`- else if ((word32)(offset + length) >`
	`199`	`+ else if (((jlong)offset + (jlong)length) >`
`200`	`200`	`getDirectBufferLimit(env, input_object)) {`
`201`	`201`	`ret = BUFFER_E; /* buffer overflow check */`
`202`	`202`	`}`
`203`		`- else if ((word32)(outputOffset + length) >`
	`203`	`+ else if (((jlong)outputOffset + (jlong)length) >`
`204`	`204`	`getDirectBufferLimit(env, output_object)) {`
`205`	`205`	`ret = BUFFER_E; /* buffer overflow check */`
`206`	`206`	`}`
Original file line number	Diff line number	Diff line change
`@@ -161,11 +161,11 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_wolfcrypt_AesCts_native_1update_1interna`
`161`	`161`	`/* CTS requires at least one block of input */`
`162`	`162`	`ret = BUFFER_E;`
`163`	`163`	`}`
`164`		`- else if ((word32)(offset + length) >`
	`164`	`+ else if (((jlong)offset + (jlong)length) >`
`165`	`165`	`getByteArrayLength(env, input_object)) {`
`166`	`166`	`ret = BUFFER_E; /* buffer overflow check */`
`167`	`167`	`}`
`168`		`- else if ((word32)(outputOffset + length) >`
	`168`	`+ else if (((jlong)outputOffset + (jlong)length) >`
`169`	`169`	`getByteArrayLength(env, output_object)) {`
`170`	`170`	`ret = BUFFER_E; /* buffer overflow check */`
`171`	`171`	`}`
`@@ -273,11 +273,11 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_wolfcrypt_AesCts_native_1update_1interna`
`273`	`273`	`/* CTS requires at least one block of input */`
`274`	`274`	`ret = BUFFER_E;`
`275`	`275`	`}`
`276`		`- else if ((word32)(offset + length) >`
	`276`	`+ else if (((jlong)offset + (jlong)length) >`
`277`	`277`	`getDirectBufferLimit(env, input_object)) {`
`278`	`278`	`ret = BUFFER_E;`
`279`	`279`	`}`
`280`		`- else if ((word32)(outputOffset + length) >`
	`280`	`+ else if (((jlong)outputOffset + (jlong)length) >`
`281`	`281`	`getDirectBufferLimit(env, output_object)) {`
`282`	`282`	`ret = BUFFER_E;`
`283`	`283`	`}`
Original file line number	Diff line number	Diff line change
`@@ -134,11 +134,11 @@ Java_com_wolfssl_wolfcrypt_AesEcb_native_1update_1internal__I_3BII_3BI(`
`134`	`134`	`else if ((length % AES_BLOCK_SIZE) != 0) {`
`135`	`135`	`ret = BAD_FUNC_ARG; /* ECB requires block-aligned data */`
`136`	`136`	`}`
`137`		`- else if ((word32)(offset + length) >`
	`137`	`+ else if (((jlong)offset + (jlong)length) >`
`138`	`138`	`getByteArrayLength(env, input_object)) {`
`139`	`139`	`ret = BUFFER_E; /* buffer overflow check */`
`140`	`140`	`}`
`141`		`- else if ((word32)(outputOffset + length) >`
	`141`	`+ else if (((jlong)outputOffset + (jlong)length) >`
`142`	`142`	`getByteArrayLength(env, output_object)) {`
`143`	`143`	`ret = BUFFER_E; /* buffer overflow check */`
`144`	`144`	`}`
`@@ -205,11 +205,11 @@ Java_com_wolfssl_wolfcrypt_AesEcb_native_1update_1internal__ILjava_nio_ByteBuffe`
`205`	`205`	`else if ((length % AES_BLOCK_SIZE) != 0) {`
`206`	`206`	`ret = BAD_FUNC_ARG; /* ECB requires block-aligned data */`
`207`	`207`	`}`
`208`		`- else if ((word32)(offset + length) >`
	`208`	`+ else if (((jlong)offset + (jlong)length) >`
`209`	`209`	`getDirectBufferLimit(env, input_object)) {`
`210`	`210`	`ret = BUFFER_E; /* buffer overflow check */`
`211`	`211`	`}`
`212`		`- else if ((word32)(outputOffset + length) >`
	`212`	`+ else if (((jlong)outputOffset + (jlong)length) >`
`213`	`213`	`getDirectBufferLimit(env, output_object)) {`
`214`	`214`	`ret = BUFFER_E; /* buffer overflow check */`
`215`	`215`	`}`
Original file line number	Diff line number	Diff line change
`@@ -123,11 +123,11 @@ Java_com_wolfssl_wolfcrypt_Des3_native_1update_1internal__I_3BII_3BI(`
`123`	`123`	`else if (offset < 0 \|\| length < 0 \|\| outputOffset < 0) {`
`124`	`124`	`ret = BAD_FUNC_ARG; /* signed sanizizers */`
`125`	`125`	`}`
`126`		`- else if ((word32)(offset + length) >`
	`126`	`+ else if (((jlong)offset + (jlong)length) >`
`127`	`127`	`getByteArrayLength(env, input_object)) {`
`128`	`128`	`ret = BUFFER_E; /* buffer overflow check */`
`129`	`129`	`}`
`130`		`- else if ((word32)(outputOffset + length) >`
	`130`	`+ else if (((jlong)outputOffset + (jlong)length) >`
`131`	`131`	`getByteArrayLength(env, output_object)) {`
`132`	`132`	`ret = BUFFER_E; /* buffer overflow check */`
`133`	`133`	`}`
`@@ -190,11 +190,11 @@ Java_com_wolfssl_wolfcrypt_Des3_native_1update_1internal__ILjava_nio_ByteBuffer_`
`190`	`190`	`else if (offset < 0 \|\| length < 0) {`
`191`	`191`	`ret = BAD_FUNC_ARG; /* signed sanizizers */`
`192`	`192`	`}`
`193`		`- else if ((word32)(offset + length) >`
	`193`	`+ else if (((jlong)offset + (jlong)length) >`
`194`	`194`	`getDirectBufferLimit(env, input_object)) {`
`195`	`195`	`ret = BUFFER_E; /* buffer overflow check */`
`196`	`196`	`}`
`197`		`- else if ((word32)(outputOffset + length) >`
	`197`	`+ else if (((jlong)outputOffset + (jlong)length) >`
`198`	`198`	`getDirectBufferLimit(env, output_object)) {`
`199`	`199`	`ret = BUFFER_E; /* buffer overflow check */`
`200`	`200`	`}`
Original file line number	Diff line number	Diff line change
`@@ -173,7 +173,7 @@ JNIEXPORT void JNICALL Java_com_wolfssl_wolfcrypt_Rng_rngGenerateBlock___3BII(`
`173`	`173`
`174`	`174`	`if (rng == NULL \|\| buffer == NULL \|\|`
`175`	`175`	`offset < 0 \|\| length < 0 \|\|`
`176`		`- ((word32)(offset + length) > bufferSz)) {`
	`176`	`+ (((jlong)offset + (jlong)length) > bufferSz)) {`
`177`	`177`	`ret = BAD_FUNC_ARG;`
`178`	`178`	`}`
`179`	`179`