Mercurial > hg > release > icedtea6-1.11
view patches/security/20130618/8012597-better_image_channel_validation.patch @ 2907:d7eca687b7d2
Add 2013/06/18 security patches.
2013-06-22 Andrew John Hughes <gnu.andrew@member.fsf.org>
* patches/idresolver_fix.patch:
Removed. Part of 6469266.
* Makefile.am:
(SECURITY_PATCHES): Add new ones.
(SPECIAL_SECURITY_PATCH_1): Renamed from
SPECIAL_SECURITY_PATCH.
(SPECIAL_SECURITY_PATCH_2): Add 8009071, which
needs to be applied after some AWT backports.
(ICEDTEA_PATCHES): Use SPECIAL_SECURITY_PATCH_{1,2}.
Move 8005615, 8007393 & 8007611 to SECURITY_PATCHES
as must be applied before 8004584. Add 7171223 to
end.
* patches/openjdk/6307603-xrender-01.patch,
* patches/openjdk/6469266-xmlsec_1.4.2.patch,
* patches/openjdk/6656651-windows_lcd_glyphs.patch,
* patches/openjdk/6786028-wcag_bold_tags.patch,
* patches/openjdk/6786682-wcag_lang.patch,
* patches/openjdk/6786688-wcag_table.patch,
* patches/openjdk/6786690-wcag_dl.patch,
* patches/openjdk/6802694-no_deprecated.patch,
* patches/openjdk/6851834-restructure.patch,
* patches/openjdk/6888167-medialib_memory_leaks.patch,
* patches/openjdk/6961178-doclet_xml.patch,
* patches/openjdk/6990754-use_native_memory_for_symboltable.patch,
* patches/openjdk/7006270-regressions.patch,
* patches/openjdk/7008809-report_class_in_arraystoreexception.patch,
* patches/openjdk/7014851-unused_parallel_compaction_code.patch,
* patches/openjdk/7017732-move_static_fields_to_class.patch,
* patches/openjdk/7036747-elfstringtable.patch,
* patches/openjdk/7086585-flexible_field_injection.patch,
* patches/openjdk/7171223-strict_aliasing.patch,
* patches/openjdk/7195301-no_instanceof_node.patch,
* patches/security/20130618/6741606-apache_santuario.patch,
* patches/security/20130618/7158805-nested_subroutine_rewriting.patch,
* patches/security/20130618/7170730-windows_network_stack.patch,
* patches/security/20130618/8000638-improve_deserialization.patch,
* patches/security/20130618/8000642-better_transportation_handling.patch,
* patches/security/20130618/8001032-restrict_object_access-corba.patch,
* patches/security/20130618/8001032-restrict_object_access-jdk.patch,
* patches/security/20130618/8001033-refactor_address_handling.patch,
* patches/security/20130618/8001034-memory_management.patch,
* patches/security/20130618/8001038-resourcefully_handle_resources.patch,
* patches/security/20130618/8001043-clarify_definition_restrictions.patch,
* patches/security/20130618/8001309-better_handling_of_annotation_interfaces.patch,
* patches/security/20130618/8001318-6_fixup.patch,
* patches/security/20130618/8001318-socket_getlocaladdress_consistency.patch,
* patches/security/20130618/8001330-checking_order_improvement.patch,
* patches/security/20130618/8001330-improve_checking_order.patch,
* patches/security/20130618/8003703-update_rmi_connection_dialog.patch,
* patches/security/20130618/8004584-augment_applet_contextualization.patch,
* patches/security/20130618/8005007-better_glyph_processing.patch,
* patches/security/20130618/8006328-6_fixup.patch,
* patches/security/20130618/8006328-sound_class_robustness.patch,
* patches/security/20130618/8006611-improve_scripting.patch,
* patches/security/20130618/8007467-improve_jmx_internal_api_robustness.patch,
* patches/security/20130618/8007471-6_fixup.patch,
* patches/security/20130618/8007471-improve_mbean_notifications.patch,
* patches/security/20130618/8007812-getenclosingmethod.patch,
* patches/security/20130618/8008120-improve_jmx_class_checking.patch,
* patches/security/20130618/8008124-better_compliance_testing.patch,
* patches/security/20130618/8008128-better_jmx_api_coherence.patch,
* patches/security/20130618/8008132-better_serialization.patch,
* patches/security/20130618/8008585-jmx_data_handling.patch,
* patches/security/20130618/8008593-better_urlclassloader.patch,
* patches/security/20130618/8008603-jmx_provider_provision.patch,
* patches/security/20130618/8008611-6_fixup.patch,
* patches/security/20130618/8008611-jmx_annotations.patch,
* patches/security/20130618/8008615-jmx_internal_api_robustness.patch,
* patches/security/20130618/8008623-mbeanserver_handling.patch,
* patches/security/20130618/8008744-6741606_rework.patch,
* patches/security/20130618/8008982-jmx_interface_changes.patch,
* patches/security/20130618/8009004-rmi_connection_improvement.patch,
* patches/security/20130618/8009013-t2k_glyphs.patch,
* patches/security/20130618/8009034-jmx_notification_improvement.patch,
* patches/security/20130618/8009038-jmx_notification_support_improvement.patch,
* patches/security/20130618/8009067-improve_key_storing.patch,
* patches/security/20130618/8009071-improve_shape_handling.patch,
* patches/security/20130618/8009235-improve_tsa_data_handling.patch,
* patches/security/20130618/8009554-serialjavaobject.patch,
* patches/security/20130618/8011243-improve_imaginglib.patch,
* patches/security/20130618/8011248-better_component_rasters.patch,
* patches/security/20130618/8011253-better_short_component_rasters.patch,
* patches/security/20130618/8011257-better_byte_component_rasters.patch,
* patches/security/20130618/8011557-improve_reflection.patch,
* patches/security/20130618/8012375-javadoc_framing.patch,
* patches/security/20130618/8012421-better_positioning.patch,
* patches/security/20130618/8012438-better_image_validation.patch,
* patches/security/20130618/8012597-better_image_channel_validation.patch,
* patches/security/20130618/8012601-better_layout_validation.patch,
* patches/security/20130618/8014281-better_xml_signature_checking.patch,
* patches/security/20130618/8015997-more_javadoc_framing.patch,
* patches/security/20130618/diamond_fix.patch,
* patches/security/20130618/handle_npe.patch,
* patches/security/20130618/hs_merge-01.patch,
* patches/security/20130618/hs_merge-02.patch,
* patches/security/20130618/hs_merge-03.patch,
* patches/security/20130618/hs_merge-04.patch,
* patches/security/20130618/javac_issue.patch,
* patches/security/20130618/langtools_generics.patch,
* patches/security/20130618/langtools_merge-01.patch,
* patches/security/20130618/langtools_merge-02.patch,
* patches/security/20130618/langtools_merge-03.patch:
2013/06/18 security patches.
| author | Andrew John Hughes <gnu.andrew@redhat.com> |
|---|---|
| date | Sat, 22 Jun 2013 16:38:24 -0500 |
| parents | |
| children |
line wrap: on
line source
# HG changeset patch # User bae # Date 1367281246 -14400 # Node ID 940eac3712db0f139069d1048f021f0e70cbbb3a # Parent 63028eef41bcd0e7ea49d333dc25ad27cd5e33a4 8012597: Better image channel verification Reviewed-by: ahgross, vadim, prr diff --git a/src/share/classes/java/awt/image/BufferedImage.java b/src/share/classes/java/awt/image/BufferedImage.java --- openjdk/jdk/src/share/classes/java/awt/image/BufferedImage.java +++ openjdk/jdk/src/share/classes/java/awt/image/BufferedImage.java @@ -654,17 +654,19 @@ int csType = cs.getType(); if (csType != ColorSpace.TYPE_RGB) { if (csType == ColorSpace.TYPE_GRAY - && cm instanceof ComponentColorModel) { + && ComponentColorModel.class.equals(cm.getClass())) { // Check if this might be a child raster (fix for bug 4240596) if (sm instanceof ComponentSampleModel && ((ComponentSampleModel)sm).getPixelStride() != numBands) { imageType = TYPE_CUSTOM; } else if (raster instanceof ByteComponentRaster && + PixelInterleavedSampleModel.class.equals(sm.getClass()) && raster.getNumBands() == 1 && cm.getComponentSize(0) == 8 && ((ByteComponentRaster)raster).getPixelStride() == 1) { imageType = TYPE_BYTE_GRAY; } else if (raster instanceof ShortComponentRaster && + PixelInterleavedSampleModel.class.equals(sm.getClass()) && raster.getNumBands() == 1 && cm.getComponentSize(0) == 16 && ((ShortComponentRaster)raster).getPixelStride() == 1) { @@ -684,7 +686,8 @@ // are correct int pixSize = cm.getPixelSize(); if (iraster.getPixelStride() == 1 && - cm instanceof DirectColorModel && + DirectColorModel.class.equals(cm.getClass()) && + SinglePixelPackedSampleModel.class.equals(sm.getClass()) && (pixSize == 32 || pixSize == 24)) { // Now check on the DirectColorModel params @@ -715,16 +718,21 @@ } // if (rmask == DCM_BGR_RED_MASK && } // if (iraster.getPixelStride() == 1 } // ((raster instanceof IntegerComponentRaster) && - else if ((cm instanceof IndexColorModel) && (numBands == 1) && + else if ((IndexColorModel.class.equals(cm.getClass())) && + (numBands == 1) && (!cm.hasAlpha() || !isAlphaPre)) { IndexColorModel icm = (IndexColorModel) cm; int pixSize = icm.getPixelSize(); - if (raster instanceof BytePackedRaster) { + if (raster instanceof BytePackedRaster && + MultiPixelPackedSampleModel.class.equals(sm.getClass())) + { imageType = TYPE_BYTE_BINARY; } // if (raster instanceof BytePackedRaster) - else if (raster instanceof ByteComponentRaster) { + else if (raster instanceof ByteComponentRaster && + PixelInterleavedSampleModel.class.equals(sm.getClass())) + { ByteComponentRaster braster = (ByteComponentRaster) raster; if (braster.getPixelStride() == 1 && pixSize <= 8) { imageType = TYPE_BYTE_INDEXED; @@ -732,7 +740,8 @@ } } // else if (cm instanceof IndexColorModel) && (numBands == 1)) else if ((raster instanceof ShortComponentRaster) - && (cm instanceof DirectColorModel) + && (DirectColorModel.class.equals(cm.getClass())) + && (SinglePixelPackedSampleModel.class.equals(sm.getClass())) && (numBands == 3) && !cm.hasAlpha()) { @@ -778,12 +787,14 @@ if (is8bit && offs[0] == numBands-1 && offs[1] == numBands-2 && - offs[2] == numBands-3) + offs[2] == numBands-3 && + ComponentColorModel.class.equals(ccm.getClass()) && + PixelInterleavedSampleModel.class.equals(csm.getClass())) { - if (numBands == 3) { + if (numBands == 3 && !ccm.hasAlpha()) { imageType = TYPE_3BYTE_BGR; } - else if (offs[3] == 0) { + else if (offs[3] == 0 && ccm.hasAlpha()) { imageType = (isAlphaPre ? TYPE_4BYTE_ABGR_PRE : TYPE_4BYTE_ABGR); diff --git a/src/share/native/sun/awt/image/awt_parseImage.c b/src/share/native/sun/awt/image/awt_parseImage.c --- openjdk/jdk/src/share/native/sun/awt/image/awt_parseImage.c +++ openjdk/jdk/src/share/native/sun/awt/image/awt_parseImage.c @@ -385,10 +385,39 @@ return 1; } +static int getColorModelType(JNIEnv *env, jobject jcmodel) { + int type = UNKNOWN_CM_TYPE; + + if ((*env)->IsInstanceOf(env, jcmodel, + (*env)->FindClass(env, "java/awt/image/IndexColorModel"))) + { + type = INDEX_CM_TYPE; + } else if ((*env)->IsInstanceOf(env, jcmodel, + (*env)->FindClass(env, "java/awt/image/PackedColorModel"))) + { + if ((*env)->IsInstanceOf(env, jcmodel, + (*env)->FindClass(env, "java/awt/image/DirectColorModel"))) { + type = DIRECT_CM_TYPE; + } + else { + type = PACKED_CM_TYPE; + } + } + else if ((*env)->IsInstanceOf(env, jcmodel, + (*env)->FindClass(env, "java/awt/image/ComponentColorModel"))) + { + type = COMPONENT_CM_TYPE; + } + + return type; +} + int awt_parseColorModel (JNIEnv *env, jobject jcmodel, int imageType, ColorModelS_t *cmP) { /*jmethodID jID; */ jobject jnBits; + jsize nBitsLength; + int i; static jobject s_jdefCM = NULL; @@ -410,15 +439,55 @@ cmP->transparency = (*env)->GetIntField(env, jcmodel, g_CMtransparencyID); + jnBits = (*env)->GetObjectField(env, jcmodel, g_CMnBitsID); + if (jnBits == NULL) { + JNU_ThrowNullPointerException(env, "null nBits structure in CModel"); + return -1; + } + + nBitsLength = (*env)->GetArrayLength(env, jnBits); + if (nBitsLength != cmP->numComponents) { + // invalid number of components? + return -1; + } + + cmP->nBits = NULL; + if (SAFE_TO_ALLOC_2(cmP->numComponents, sizeof(jint))) { + cmP->nBits = (jint *)malloc(cmP->numComponents * sizeof(jint)); + } + + if (cmP->nBits == NULL){ + JNU_ThrowOutOfMemoryError(env, "Out of memory"); + return -1; + } + (*env)->GetIntArrayRegion(env, jnBits, 0, cmP->numComponents, + cmP->nBits); + cmP->maxNbits = 0; + for (i=0; i < cmP->numComponents; i++) { + if (cmP->maxNbits < cmP->nBits[i]) { + cmP->maxNbits = cmP->nBits[i]; + } + } + + cmP->is_sRGB = (*env)->GetBooleanField(env, cmP->jcmodel, g_CMis_sRGBID); + + cmP->csType = (*env)->GetIntField(env, cmP->jcmodel, g_CMcsTypeID); + + cmP->cmType = getColorModelType(env, jcmodel); + + cmP->isDefaultCM = FALSE; + cmP->isDefaultCompatCM = FALSE; + + /* look for standard cases */ if (imageType == java_awt_image_BufferedImage_TYPE_INT_ARGB) { cmP->isDefaultCM = TRUE; cmP->isDefaultCompatCM = TRUE; } else if (imageType == java_awt_image_BufferedImage_TYPE_INT_ARGB_PRE || - imageType == java_awt_image_BufferedImage_TYPE_INT_RGB) { - cmP->isDefaultCompatCM = TRUE; - } else if (imageType == java_awt_image_BufferedImage_TYPE_INT_BGR || + imageType == java_awt_image_BufferedImage_TYPE_INT_RGB || + imageType == java_awt_image_BufferedImage_TYPE_INT_BGR || imageType == java_awt_image_BufferedImage_TYPE_4BYTE_ABGR || - imageType == java_awt_image_BufferedImage_TYPE_4BYTE_ABGR_PRE){ + imageType == java_awt_image_BufferedImage_TYPE_4BYTE_ABGR_PRE) + { cmP->isDefaultCompatCM = TRUE; } else { @@ -439,50 +508,25 @@ cmP->isDefaultCompatCM = cmP->isDefaultCM; } + /* check whether image attributes correspond to default cm */ if (cmP->isDefaultCompatCM) { - cmP->cmType = DIRECT_CM_TYPE; - cmP->nBits = (jint *) malloc(sizeof(jint)*4); - cmP->nBits[0] = cmP->nBits[1] = cmP->nBits[2] = cmP->nBits[3] = 8; - cmP->maxNbits = 8; - cmP->is_sRGB = TRUE; - cmP->csType = java_awt_color_ColorSpace_TYPE_RGB; + if (cmP->csType != java_awt_color_ColorSpace_TYPE_RGB || + !cmP->is_sRGB) + { + return -1; + } - return 1; - } - - jnBits = (*env)->GetObjectField(env, jcmodel, g_CMnBitsID); - if (jnBits == NULL) { - JNU_ThrowNullPointerException(env, "null nBits structure in CModel"); - return -1; - } - - cmP->nBits = NULL; - if (SAFE_TO_ALLOC_2(cmP->numComponents, sizeof(jint))) { - cmP->nBits = (jint *)malloc(cmP->numComponents * sizeof(jint)); - } - if (cmP->nBits == NULL){ - JNU_ThrowOutOfMemoryError(env, "Out of memory"); - return -1; - } - (*env)->GetIntArrayRegion(env, jnBits, 0, cmP->numComponents, - cmP->nBits); - cmP->maxNbits = 0; - for (i=0; i < cmP->numComponents; i++) { - if (cmP->maxNbits < cmP->nBits[i]) { - cmP->maxNbits = cmP->nBits[i]; + for (i = 0; i < cmP->numComponents; i++) { + if (cmP->nBits[i] != 8) { + return -1; + } } } - cmP->is_sRGB = (*env)->GetBooleanField(env, cmP->jcmodel, g_CMis_sRGBID); - - cmP->csType = (*env)->GetIntField(env, cmP->jcmodel, g_CMcsTypeID); - - /* Find out what type of colol model */ + /* Get index color model attributes */ if (imageType == java_awt_image_BufferedImage_TYPE_BYTE_INDEXED || - (*env)->IsInstanceOf(env, jcmodel, - (*env)->FindClass(env, "java/awt/image/IndexColorModel"))) + cmP->cmType == INDEX_CM_TYPE) { - cmP->cmType = INDEX_CM_TYPE; cmP->transIdx = (*env)->GetIntField(env, jcmodel, g_ICMtransIdxID); cmP->mapSize = (*env)->GetIntField(env, jcmodel, g_ICMmapSizeID); cmP->jrgb = (*env)->GetObjectField(env, jcmodel, g_ICMrgbID); @@ -508,31 +552,6 @@ } } } - else if ((*env)->IsInstanceOf(env, jcmodel, - (*env)->FindClass(env, "java/awt/image/PackedColorModel"))) - { - if ((*env)->IsInstanceOf(env, jcmodel, - (*env)->FindClass(env, "java/awt/image/DirectColorModel"))){ - cmP->cmType = DIRECT_CM_TYPE; - } - else { - cmP->cmType = PACKED_CM_TYPE; - } - } - else if ((*env)->IsInstanceOf(env, jcmodel, - (*env)->FindClass(env, "java/awt/image/ComponentColorModel"))) - { - cmP->cmType = COMPONENT_CM_TYPE; - } - else if ((*env)->IsInstanceOf(env, jcmodel, - (*env)->FindClass(env, "java/awt/image/PackedColorModel"))) - { - cmP->cmType = PACKED_CM_TYPE; - } - else { - cmP->cmType = UNKNOWN_CM_TYPE; - } - return 1; } @@ -572,6 +591,13 @@ ColorModelS_t *cmodelP = &imageP->cmodel; int imageType = imageP->imageType; + // check whether raster and color model are compatible + if (cmodelP->numComponents != rasterP->numBands) { + if (cmodelP->cmType != INDEX_CM_TYPE) { + return -1; + } + } + hintP->numChans = imageP->cmodel.numComponents; hintP->colorOrder = NULL; if (SAFE_TO_ALLOC_2(hintP->numChans, sizeof(int))) { @@ -1063,6 +1089,10 @@ jsm = (*env)->GetObjectField(env, rasterP->jraster, g_RasterSampleModelID); jdatabuffer = (*env)->GetObjectField(env, rasterP->jraster, g_RasterDataBufferID); + if (band >= numBands) { + JNU_ThrowInternalError(env, "Band out of range."); + return -1; + } /* Here is the generic code */ jdata = (*env)->NewIntArray(env, maxBytes*rasterP->numBands*maxLines); if (JNU_IsNull(env, jdata)) { @@ -1071,11 +1101,6 @@ } if (band >= 0) { int dOff; - if (band >= numBands) { - (*env)->DeleteLocalRef(env, jdata); - JNU_ThrowInternalError(env, "Band out of range."); - return -1; - } off = 0; for (y=0; y < h; y+=maxLines) { if (y+maxLines > h) { diff --git a/src/share/native/sun/awt/medialib/awt_ImagingLib.c b/src/share/native/sun/awt/medialib/awt_ImagingLib.c --- openjdk/jdk/src/share/native/sun/awt/medialib/awt_ImagingLib.c +++ openjdk/jdk/src/share/native/sun/awt/medialib/awt_ImagingLib.c @@ -2605,6 +2605,41 @@ return 0; } +#define ERR_BAD_IMAGE_LAYOUT (-2) + +#define CHECK_DST_ARRAY(start_offset, elements_per_pixel) \ + do { \ + int offset = (start_offset); \ + int lastScanOffset; \ + \ + if (!SAFE_TO_MULT(rasterP->scanlineStride, \ + (rasterP->height - 1))) \ + { \ + return ERR_BAD_IMAGE_LAYOUT; \ + } \ + lastScanOffset = rasterP->scanlineStride * \ + (rasterP->height - 1); \ + \ + if (!SAFE_TO_ADD(offset, lastScanOffset)) { \ + return ERR_BAD_IMAGE_LAYOUT; \ + } \ + lastScanOffset += offset; \ + \ + if (!SAFE_TO_MULT((elements_per_pixel), rasterP->width)) { \ + return ERR_BAD_IMAGE_LAYOUT; \ + } \ + offset = (elements_per_pixel) * rasterP->width; \ + \ + if (!SAFE_TO_ADD(offset, lastScanOffset)) { \ + return ERR_BAD_IMAGE_LAYOUT; \ + } \ + lastScanOffset += offset; \ + \ + if (dataArrayLength < lastScanOffset) { \ + return ERR_BAD_IMAGE_LAYOUT; \ + } \ + } while(0); \ + static int storeImageArray(JNIEnv *env, BufImageS_t *srcP, BufImageS_t *dstP, mlib_image *mlibImP) { @@ -2612,6 +2647,7 @@ unsigned char *cmDataP, *dataP, *cDataP; HintS_t *hintP = &dstP->hints; RasterS_t *rasterP = &dstP->raster; + jsize dataArrayLength = (*env)->GetArrayLength(env, rasterP->jdata); int y; /* REMIND: Store mlib data type? */ @@ -2630,14 +2666,15 @@ if (hintP->packing == BYTE_INTERLEAVED) { /* Write it back to the destination */ + CHECK_DST_ARRAY(hintP->channelOffset, hintP->numChans); cmDataP = (unsigned char *) mlib_ImageGetData(mlibImP); mStride = mlib_ImageGetStride(mlibImP); dataP = (unsigned char *)(*env)->GetPrimitiveArrayCritical(env, rasterP->jdata, NULL); if (dataP == NULL) return 0; - cDataP = dataP + hintP->dataOffset; + cDataP = dataP + hintP->channelOffset; for (y=0; y < rasterP->height; - y++, cmDataP += mStride, cDataP += hintP->sStride) + y++, cmDataP += mStride, cDataP += rasterP->scanlineStride) { memcpy(cDataP, cmDataP, rasterP->width*hintP->numChans); } @@ -2648,13 +2685,14 @@ /* Write it back to the destination */ unsigned short *sdataP, *sDataP; unsigned short *smDataP = (unsigned short *)mlib_ImageGetData(mlibImP); + CHECK_DST_ARRAY(hintP->channelOffset, hintP->numChans); mStride = mlib_ImageGetStride(mlibImP); sdataP = (unsigned short *)(*env)->GetPrimitiveArrayCritical(env, rasterP->jdata, NULL); if (sdataP == NULL) return -1; - sDataP = sdataP + hintP->dataOffset; + sDataP = sdataP + hintP->channelOffset; for (y=0; y < rasterP->height; - y++, smDataP += mStride, sDataP += hintP->sStride) + y++, smDataP += mStride, sDataP += rasterP->scanlineStride) { memcpy(sDataP, smDataP, rasterP->width*hintP->numChans); } @@ -3447,7 +3485,8 @@ unsigned char *inP = inDataP; unsigned char *lineOutP, *outP; jarray jOutDataP; - jint *outDataP; + jsize dataArrayLength; + unsigned char *outDataP; int loff[MAX_NUMBANDS], roff[MAX_NUMBANDS]; if (rasterP->numBands > MAX_NUMBANDS) { @@ -3456,11 +3495,18 @@ /* Grab data ptr, strides, offsets from raster */ jOutDataP = (*env)->GetObjectField(env, rasterP->jraster, g_BCRdataID); + if (JNU_IsNull(env, jOutDataP)) { + return -1; + } + + dataArrayLength = (*env)->GetArrayLength(env, jOutDataP); + CHECK_DST_ARRAY(rasterP->chanOffsets[0], 1); + outDataP = (*env)->GetPrimitiveArrayCritical(env, jOutDataP, 0); if (outDataP == NULL) { return -1; } - lineOutP = (unsigned char *)outDataP + rasterP->chanOffsets[0]; + lineOutP = outDataP + rasterP->chanOffsets[0]; if (component < 0) { for (c=0; c < rasterP->numBands; c++) { @@ -3515,7 +3561,8 @@ unsigned char *inP = inDataP; unsigned short *lineOutP, *outP; jarray jOutDataP; - jint *outDataP; + jsize dataArrayLength; + unsigned short *outDataP; int loff[MAX_NUMBANDS], roff[MAX_NUMBANDS]; if (rasterP->numBands > MAX_NUMBANDS) { @@ -3524,11 +3571,18 @@ /* Grab data ptr, strides, offsets from raster */ jOutDataP = (*env)->GetObjectField(env, rasterP->jraster, g_SCRdataID); + if (JNU_IsNull(env, jOutDataP)) { + return -1; + } + + dataArrayLength = (*env)->GetArrayLength(env, jOutDataP); + CHECK_DST_ARRAY(rasterP->chanOffsets[0], 1); + outDataP = (*env)->GetPrimitiveArrayCritical(env, jOutDataP, 0); if (outDataP == NULL) { return -1; } - lineOutP = (unsigned short *)outDataP + rasterP->chanOffsets[0]; + lineOutP = outDataP + rasterP->chanOffsets[0]; if (component < 0) { for (c=0; c < rasterP->numBands; c++) { @@ -3583,7 +3637,8 @@ unsigned char *inP = inDataP; unsigned int *lineOutP, *outP; jarray jOutDataP; - jint *outDataP; + jsize dataArrayLength; + unsigned int *outDataP; int loff[MAX_NUMBANDS], roff[MAX_NUMBANDS]; if (rasterP->numBands > MAX_NUMBANDS) { @@ -3592,11 +3647,18 @@ /* Grab data ptr, strides, offsets from raster */ jOutDataP = (*env)->GetObjectField(env, rasterP->jraster, g_ICRdataID); + if (JNU_IsNull(env, jOutDataP)) { + return -1; + } + + dataArrayLength = (*env)->GetArrayLength(env, jOutDataP); + CHECK_DST_ARRAY(rasterP->chanOffsets[0], 1); + outDataP = (*env)->GetPrimitiveArrayCritical(env, jOutDataP, 0); if (outDataP == NULL) { return -1; } - lineOutP = (unsigned int *)outDataP + rasterP->chanOffsets[0]; + lineOutP = outDataP + rasterP->chanOffsets[0]; if (component < 0) { for (c=0; c < rasterP->numBands; c++) { @@ -3653,7 +3715,8 @@ unsigned char *inP = inDataP; unsigned char *lineOutP, *outP; jarray jOutDataP; - jint *outDataP; + jsize dataArrayLength; + unsigned char *outDataP; int loff[MAX_NUMBANDS], roff[MAX_NUMBANDS]; int a = rasterP->numBands - 1; @@ -3663,11 +3726,18 @@ /* Grab data ptr, strides, offsets from raster */ jOutDataP = (*env)->GetObjectField(env, rasterP->jraster, g_BCRdataID); + if (JNU_IsNull(env, jOutDataP)) { + return -1; + } + + dataArrayLength = (*env)->GetArrayLength(env, jOutDataP); + CHECK_DST_ARRAY(rasterP->chanOffsets[0], 1); + outDataP = (*env)->GetPrimitiveArrayCritical(env, jOutDataP, 0); if (outDataP == NULL) { return -1; } - lineOutP = (unsigned char *)outDataP + rasterP->chanOffsets[0]; + lineOutP = outDataP + rasterP->chanOffsets[0]; if (component < 0) { for (c=0; c < rasterP->numBands; c++) { @@ -3743,7 +3813,8 @@ unsigned char *inP = inDataP; unsigned short *lineOutP, *outP; jarray jOutDataP; - jint *outDataP; + jsize dataArrayLength; + unsigned short *outDataP; int loff[MAX_NUMBANDS], roff[MAX_NUMBANDS]; int a = rasterP->numBands - 1; @@ -3753,11 +3824,17 @@ /* Grab data ptr, strides, offsets from raster */ jOutDataP = (*env)->GetObjectField(env, rasterP->jraster, g_SCRdataID); + if (JNU_IsNull(env, jOutDataP)) { + return -1; + } + dataArrayLength = (*env)->GetArrayLength(env, jOutDataP); + CHECK_DST_ARRAY(rasterP->chanOffsets[0], 1); + outDataP = (*env)->GetPrimitiveArrayCritical(env, jOutDataP, 0); if (outDataP == NULL) { return -1; } - lineOutP = (unsigned short *)outDataP + rasterP->chanOffsets[0]; + lineOutP = outDataP + rasterP->chanOffsets[0]; if (component < 0) { for (c=0; c < rasterP->numBands; c++) { @@ -3833,7 +3910,8 @@ unsigned char *inP = inDataP; unsigned int *lineOutP, *outP; jarray jOutDataP; - jint *outDataP; + jsize dataArrayLength; + unsigned int *outDataP; int loff[MAX_NUMBANDS], roff[MAX_NUMBANDS]; int a = rasterP->numBands - 1; @@ -3843,11 +3921,18 @@ /* Grab data ptr, strides, offsets from raster */ jOutDataP = (*env)->GetObjectField(env, rasterP->jraster, g_ICRdataID); + if (JNU_IsNull(env, jOutDataP)) { + return -1; + } + + dataArrayLength = (*env)->GetArrayLength(env, jOutDataP); + CHECK_DST_ARRAY(rasterP->chanOffsets[0], 1); + outDataP = (*env)->GetPrimitiveArrayCritical(env, jOutDataP, 0); if (outDataP == NULL) { return -1; } - lineOutP = (unsigned int *)outDataP + rasterP->chanOffsets[0]; + lineOutP = outDataP + rasterP->chanOffsets[0]; if (component < 0) { for (c=0; c < rasterP->numBands; c++) {