Goto_w instruction handled improperly

Issue #216 resolved
Evelyn Snow
created an issue

If I assemble a class with a goto_w instruction in it, it appears that Procyon only considers the first word (Ie it treats it as goto 0, regardless of its actual target)

The most worrying implication of this is that code can be hidden from procyon, by creating otherwise dead code, and then using a goto_w instruction to jump backwards into it.

This has major security implications when Procyon is used to audit class files for malicious code.

I can provide an example file, showing how the code is hidden, if this would help.

Comments (8)

  1. Mike Strobel repo owner

    Thank, Evelyn, this is definitely a serious bug, and I will see if I can get it patched today. My apologies for not taking notice sooner—I've had a very busy couple of weeks. If you have a simple class file that can reproduce the problem, that will save me some time and give me a useful addition to the test suite. I'll take the original assembler file too, if it's Jasmin/Krakatau compatible.

  2. Log in to comment