Mercurial > hg > openjdk > jdk7 > jdk
changeset 4298:df445f522425
7013519: [parfait] Integer overflows in 2D code
Reviewed-by: prr, valeriep
author | bae |
---|---|
date | Thu, 17 Feb 2011 12:21:49 +0300 |
parents | aca0dc2b921c |
children | ccb2fcfb6d6b |
files | src/share/native/sun/awt/image/jpeg/imageioJPEG.c src/share/native/sun/font/layout/SunLayoutEngine.cpp |
diffstat | 2 files changed, 12 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/native/sun/awt/image/jpeg/imageioJPEG.c Wed Feb 09 11:50:29 2011 +0800 +++ b/src/share/native/sun/awt/image/jpeg/imageioJPEG.c Thu Feb 17 12:21:49 2011 +0300 @@ -1971,6 +1971,13 @@ return data->abortFlag; } + if (cinfo->output_components <= 0 || + cinfo->image_width > (0xffffffffu / (unsigned int)cinfo->output_components)) + { + JNU_ThrowByName(env, "javax/imageio/IIOException", + "Invalid number of output components"); + return data->abortFlag; + } // Allocate a 1-scanline buffer scanLinePtr = (JSAMPROW)malloc(cinfo->image_width*cinfo->output_components);
--- a/src/share/native/sun/font/layout/SunLayoutEngine.cpp Wed Feb 09 11:50:29 2011 +0800 +++ b/src/share/native/sun/font/layout/SunLayoutEngine.cpp Thu Feb 17 12:21:49 2011 +0300 @@ -186,7 +186,11 @@ jchar buffer[256]; jchar* chars = buffer; if (len > 256) { - chars = (jchar*)malloc(len * sizeof(jchar)); + size_t size = len * sizeof(jchar); + if (size / sizeof(jchar) != len) { + return; + } + chars = (jchar*)malloc(size); if (chars == 0) { return; }