From 550beecc9b28c286e00fd72887eca73bb37d04f2 Mon Sep 17 00:00:00 2001
From: Daniel Hu <costmuch@amazon.com>
Date: Fri, 18 Apr 2025 20:31:47 +0000
Subject: [PATCH] Backport b0d145097cdc61e4bab19393a125e63aa3bc29b9

---
 .../classes/java/io/ByteArrayInputStream.java | 17 +++-
 .../TransferToTrusted.java                    | 92 +++++++++++++++++++
 2 files changed, 108 insertions(+), 1 deletion(-)
 create mode 100644 test/jdk/java/io/ByteArrayInputStream/TransferToTrusted.java

diff --git a/src/java.base/share/classes/java/io/ByteArrayInputStream.java b/src/java.base/share/classes/java/io/ByteArrayInputStream.java
index e9b1415205b..fc3f4667fab 100644
--- a/src/java.base/share/classes/java/io/ByteArrayInputStream.java
+++ b/src/java.base/share/classes/java/io/ByteArrayInputStream.java
@@ -207,10 +207,25 @@ public int readNBytes(byte[] b, int off, int len) {
     public synchronized long transferTo(OutputStream out) throws IOException {
         int len = count - pos;
         if (len > 0) {
+            // 'tmpbuf' is null if and only if 'out' is trusted
+            byte[] tmpbuf;
+            Class<?> outClass = out.getClass();
+            if (outClass == ByteArrayOutputStream.class ||
+                outClass == FileOutputStream.class ||
+                outClass == PipedOutputStream.class)
+                tmpbuf = null;
+            else
+                tmpbuf = new byte[Integer.min(len, MAX_TRANSFER_SIZE)];
+
             int nwritten = 0;
             while (nwritten < len) {
                 int nbyte = Integer.min(len - nwritten, MAX_TRANSFER_SIZE);
-                out.write(buf, pos, nbyte);
+                // if 'out' is not trusted, transfer via a temporary buffer
+                if (tmpbuf != null) {
+                    System.arraycopy(buf, pos, tmpbuf, 0, nbyte);
+                    out.write(tmpbuf, 0, nbyte);
+                } else
+                    out.write(buf, pos, nbyte);
                 pos += nbyte;
                 nwritten += nbyte;
             }
diff --git a/test/jdk/java/io/ByteArrayInputStream/TransferToTrusted.java b/test/jdk/java/io/ByteArrayInputStream/TransferToTrusted.java
new file mode 100644
index 00000000000..24b2209e814
--- /dev/null
+++ b/test/jdk/java/io/ByteArrayInputStream/TransferToTrusted.java
@@ -0,0 +1,92 @@
+/*
+ * Copyright (c) 2023, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8321053
+ * @summary Verify ByteArrayInputStream.buf is used directly by
+ *          ByteArrayInputStream.transferTo only when its OutputStream
+ *          parameter is trusted
+ * @key randomness
+ */
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.DataOutputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.util.Arrays;
+import java.util.Objects;
+import java.util.Random;
+
+public class TransferToTrusted {
+    private static final Random RND = new Random(System.nanoTime());
+
+    private static class UntrustedOutputStream extends OutputStream {
+        UntrustedOutputStream() {
+            super();
+        }
+
+        @Override
+        public void write(byte[] b, int off, int len) throws IOException {
+            Objects.checkFromIndexSize(off, len, b.length);
+            byte[] tmp = new byte[len];
+            RND.nextBytes(tmp);
+            System.arraycopy(tmp, 0, b, off, len);
+        }
+
+        @Override
+        public void write(int b) throws IOException {
+            write(new byte[] {(byte)b});
+        }
+    }
+
+    public static void main(String[] args) throws IOException {
+        byte[] buf = new byte[RND.nextInt(1025)];
+        System.out.println("buf.length: " + buf.length);
+        RND.nextBytes(buf);
+        byte[] dup = Arrays.copyOf(buf, buf.length);
+
+        ByteArrayInputStream bais = new ByteArrayInputStream(dup);
+        bais.mark(dup.length);
+
+        OutputStream[] outputStreams = new OutputStream[] {
+            new ByteArrayOutputStream(),
+            new UntrustedOutputStream()
+        };
+
+        for (OutputStream out : outputStreams) {
+            System.err.println("out: " + out.getClass().getName());
+
+            bais.transferTo(out);
+            bais.reset();
+            try {
+                if (!Arrays.equals(buf, bais.readAllBytes()))
+                    throw new RuntimeException("Internal buffer was modified");
+            } finally {
+                out.close();
+            }
+            bais.reset();
+        }
+    }
+}