Mercurial > hg > release > icedtea6-1.10

# HG changeset patch
# User amenkov
# Date 1319622989 -14400
# Node ID b34a3ed0c8f2f6b9121d38ed330430d913f8a385
# Parent  cdc68d7a17dd412402b100dc427abbe0a90cf2ab
7088367: JavaSound security issue (12865443)
Reviewed-by: denis

diff --git a/src/share/classes/com/sun/media/sound/DirectAudioDevice.java b/src/share/classes/com/sun/media/sound/DirectAudioDevice.java
--- openjdk/jdk/src/share/classes/com/sun/media/sound/DirectAudioDevice.java
+++ openjdk/jdk/src/share/classes/com/sun/media/sound/DirectAudioDevice.java
@@ -771,7 +771,7 @@ class DirectAudioDevice extends Abstract
             if (off < 0) {
                 throw new ArrayIndexOutOfBoundsException(off);
             }
-            if (off + len > b.length) {
+            if ((long)off + (long)len > (long)b.length) {
                 throw new ArrayIndexOutOfBoundsException(b.length);
             }

@@ -1000,7 +1000,7 @@ class DirectAudioDevice extends Abstract
             if (off < 0) {
                 throw new ArrayIndexOutOfBoundsException(off);
             }
-            if (off + len > b.length) {
+            if ((long)off + (long)len > (long)b.length) {
                 throw new ArrayIndexOutOfBoundsException(b.length);
             }
             if (!isActive() && doIO) {
diff --git a/src/share/classes/com/sun/media/sound/SoftMixingSourceDataLine.java b/src/share/classes/com/sun/media/sound/SoftMixingSourceDataLine.java
--- openjdk/jdk/src/share/classes/com/sun/media/sound/SoftMixingSourceDataLine.java
+++ openjdk/jdk/src/share/classes/com/sun/media/sound/SoftMixingSourceDataLine.java
@@ -130,6 +130,12 @@ public class SoftMixingSourceDataLine ex
         if (len % framesize != 0)
             throw new IllegalArgumentException(
                     "Number of bytes does not represent an integral number of sample frames.");
+        if (off < 0) {
+            throw new ArrayIndexOutOfBoundsException(off);
+        }
+        if ((long)off + (long)len > (long)b.length) {
+            throw new ArrayIndexOutOfBoundsException(b.length);
+        }

         byte[] buff = cycling_buffer;
         int buff_len = cycling_buffer.length;
author	Andrew John Hughes <ahughes@redhat.com>
date	Thu, 09 Feb 2012 17:05:26 +0000
parents
children