From dca8d5a48bcd47cc9e80d4e262518a882808ecd7 Mon Sep 17 00:00:00 2001
From: xzf1234 <xzff@hust.edu.cn>
Date: Tue, 25 Apr 2023 17:07:34 +0800
Subject: [PATCH] fix CVE-2023-21939

---
 fix-CVE-2023-21939.patch | 158 +++++++++++++++++++++++++++++++++++++++
 openjdk-1.8.0.spec       |   7 +-
 2 files changed, 164 insertions(+), 1 deletion(-)
 create mode 100644 fix-CVE-2023-21939.patch

diff --git a/fix-CVE-2023-21939.patch b/fix-CVE-2023-21939.patch
new file mode 100644
index 0000000..94cc936
--- /dev/null
+++ b/fix-CVE-2023-21939.patch
@@ -0,0 +1,158 @@
+From f125e332ffdd4b51002227e1d0a17d97d5a2ee0d Mon Sep 17 00:00:00 2001
+From: xzf1234 <xzff@hust.edu.cn>
+Date: Tue, 25 Apr 2023 17:00:43 +0800
+Subject: [PATCH] fix CVE-2023-21939
+
+---
+ .../javax/swing/plaf/basic/BasicHTML.java     | 26 ++++++++++++++++---
+ .../javax/swing/text/html/HTMLEditorKit.java  |  8 ++++--
+ .../javax/swing/text/html/ObjectView.java     | 10 +++++++
+ .../classes/sun/swing/SwingAccessor.java      | 15 +++++++++++
+ 4 files changed, 54 insertions(+), 5 deletions(-)
+
+diff --git a/jdk/src/share/classes/javax/swing/plaf/basic/BasicHTML.java b/jdk/src/share/classes/javax/swing/plaf/basic/BasicHTML.java
+index 250c6d4..73f5a32 100644
+--- a/jdk/src/share/classes/javax/swing/plaf/basic/BasicHTML.java
++++ b/jdk/src/share/classes/javax/swing/plaf/basic/BasicHTML.java
+@@ -33,6 +33,7 @@ import javax.swing.*;
+ import javax.swing.text.*;
+ import javax.swing.text.html.*;
+ 
++import sun.swing.SwingAccessor;
+ import sun.swing.SwingUtilities2;
+ 
+ /**
+@@ -204,7 +205,7 @@ public class BasicHTML {
+         View value = null;
+         View oldValue = (View)c.getClientProperty(BasicHTML.propertyKey);
+         Boolean htmlDisabled = (Boolean) c.getClientProperty(htmlDisable);
+-        if (htmlDisabled != Boolean.TRUE && BasicHTML.isHTMLString(text)) {
++        if (!(Boolean.TRUE.equals(htmlDisabled)) && BasicHTML.isHTMLString(text)) {
+             value = BasicHTML.createHTMLView(c, text);
+         }
+         if (value != oldValue && oldValue != null) {
+@@ -359,16 +360,35 @@ public class BasicHTML {
+      */
+     static class BasicHTMLViewFactory extends HTMLEditorKit.HTMLFactory {
+         public View create(Element elem) {
+-            View view = super.create(elem);
+ 
++            View view = null;
++            try {
++                setAllowHTMLObject();
++                view = super.create(elem);
++            } finally {
++                clearAllowHTMLObject();
++            }
+             if (view instanceof ImageView) {
+                 ((ImageView)view).setLoadsSynchronously(true);
+             }
+             return view;
+         }
+-    }
+ 
++        private static Boolean useOV = null;
+ 
++        private static void setAllowHTMLObject() {
++            if (useOV == null) {
++                useOV = java.security.AccessController.doPrivileged(
++                    new sun.security.action.GetBooleanAction(
++                        "swing.html.object"));
++            };
++            SwingAccessor.setAllowHTMLObject(useOV);
++        }
++
++        private static void clearAllowHTMLObject() {
++            SwingAccessor.setAllowHTMLObject(null);
++        }
++    }
+     /**
+      * The subclass of HTMLDocument that is used as the model. getForeground
+      * is overridden to return the foreground property from the Component this
+diff --git a/jdk/src/share/classes/javax/swing/text/html/HTMLEditorKit.java b/jdk/src/share/classes/javax/swing/text/html/HTMLEditorKit.java
+index 425ba5f..47228fc 100644
+--- a/jdk/src/share/classes/javax/swing/text/html/HTMLEditorKit.java
++++ b/jdk/src/share/classes/javax/swing/text/html/HTMLEditorKit.java
+@@ -40,7 +40,7 @@ import javax.accessibility.*;
+ import java.lang.ref.*;
+ import java.security.AccessController;
+ import java.security.PrivilegedAction;
+-
++import sun.swing.SwingAccessor;
+ /**
+  * The Swing JEditorPane text component supports different kinds
+  * of content via a plug-in mechanism called an EditorKit.  Because
+@@ -1182,7 +1182,11 @@ public class HTMLEditorKit extends StyledEditorKit implements Accessible {
+                            (kind == HTML.Tag.TEXTAREA)) {
+                     return new FormView(elem);
+                 } else if (kind == HTML.Tag.OBJECT) {
+-                    return new ObjectView(elem);
++                   if (SwingAccessor.getAllowHTMLObject()) {
++                        return new ObjectView(elem);
++                   } else {
++                        return new ObjectView(elem, false);
++                   }
+                 } else if (kind == HTML.Tag.FRAMESET) {
+                      if (elem.getAttributes().isDefined(HTML.Attribute.ROWS)) {
+                          return new FrameSetView(elem, View.Y_AXIS);
+diff --git a/jdk/src/share/classes/javax/swing/text/html/ObjectView.java b/jdk/src/share/classes/javax/swing/text/html/ObjectView.java
+index 5bcbc10..9671f6c 100644
+--- a/jdk/src/share/classes/javax/swing/text/html/ObjectView.java
++++ b/jdk/src/share/classes/javax/swing/text/html/ObjectView.java
+@@ -72,6 +72,8 @@ import sun.reflect.misc.ReflectUtil;
+  */
+ public class ObjectView extends ComponentView  {
+ 
++    private boolean createComp = true; // default
++
+     /**
+      * Creates a new ObjectView object.
+      *
+@@ -81,12 +83,20 @@ public class ObjectView extends ComponentView  {
+         super(elem);
+     }
+ 
++    ObjectView(Element elem, boolean createComp) {
++        super(elem);
++        this.createComp = createComp;
++    }
++
+     /**
+      * Create the component.  The classid is used
+      * as a specification of the classname, which
+      * we try to load.
+      */
+     protected Component createComponent() {
++        if (!createComp) {
++            return getUnloadableRepresentation();
++        }
+         AttributeSet attr = getElement().getAttributes();
+         String classname = (String) attr.getAttribute(HTML.Attribute.CLASSID);
+         try {
+diff --git a/jdk/src/share/classes/sun/swing/SwingAccessor.java b/jdk/src/share/classes/sun/swing/SwingAccessor.java
+index 797802a..8cec052 100644
+--- a/jdk/src/share/classes/sun/swing/SwingAccessor.java
++++ b/jdk/src/share/classes/sun/swing/SwingAccessor.java
+@@ -156,4 +156,19 @@ public final class SwingAccessor {
+         }
+         return repaintManagerAccessor;
+     }
++
++    private static ThreadLocal<Boolean> tlObj = new ThreadLocal<Boolean>();
++
++    public static Boolean getAllowHTMLObject() {
++        Boolean b = tlObj.get();
++        if (b == null) {
++            return Boolean.TRUE;
++        } else {
++            return b;
++        }
++    }
++
++    public static void setAllowHTMLObject(Boolean val) {
++        tlObj.set(val);
++    }
+ }
+-- 
+2.33.1.windows.1
+
diff --git a/openjdk-1.8.0.spec b/openjdk-1.8.0.spec
index 817a111..bfc4f97 100644
--- a/openjdk-1.8.0.spec
+++ b/openjdk-1.8.0.spec
@@ -926,7 +926,7 @@ Provides: java-%{javaver}-%{origin}-accessibility%{?1} = %{epoch}:%{version}-%{r
 
 Name:    java-%{javaver}-%{origin}
 Version: %{javaver}.%{updatever}.%{buildver}
-Release: 3
+Release: 4
 # java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons
 # and this change was brought into RHEL-4. java-1.5.0-ibm packages
 # also included the epoch in their virtual provides. This created a
@@ -1194,6 +1194,7 @@ Patch298: Add-CMS-s-trim-test-cases-and-fix-failure.patch
 Patch299: Disable-cds-on-x86-32.patch
 Patch300: Disable-no-compressedOop-cds-on-x86-32.patch
 Patch301: fix-SUSE-x86_32-build-failure.patch
+Patch302: fix-CVE-2023-21939.patch
 
 #############################################
 #
@@ -1726,6 +1727,7 @@ pushd %{top_level_dir_name}
 %patch299 -p1
 %patch300 -p1
 %patch301 -p1
+%patch302 -p1
 
 
 
@@ -2365,6 +2367,9 @@ cjc.mainProgram(arg)
 %endif
 
 %changelog
+* Tue Apr 25 2023 xzf1244<xzff@hust.edu.cn> - 1:1.8.0.362-b09.4
+- fix CVE-2023-21939
+
 * Mon Feb 27 2023 panxuefeng<panxuefeng@loongson.cn> - 1:1.8.0.362-b09.3
 - update LoongArch64 port to jdk8u362-b09-ls-1
 - fix typos error
-- 
Gitee