On Wed, 15 Jun 2022 19:58:41 GMT, Weijun Wang <[email protected]> wrote:
>> src/java.base/share/classes/com/sun/crypto/provider/GCTR.java line 242:
>>
>>> 240: dst.put(in, 0, processed);
>>> 241: } finally {
>>> 242: Arrays.fill(in, (byte)0);
>>
>> The same handling should be applied to the 'out' buffer allocated on line
>> 177 assuming the idea is to not leaving copies of user data lying around on
>> the heap. Recovered text may contain the same bytes as plain text, so
>> arguably the same handling should be applied to both input/output?
>
> Seems so. BTW, I was using a test-driven programming model and have not
> observed a leak here. I'll see if I can trigger one.
Sounds good. Rest of changes look fine.
-------------
PR: https://git.openjdk.org/jdk/pull/9158
