Mercurial > hg > release > icedtea6-1.12
view patches/security/20130618/8012438-better_image_validation.patch @ 3004:08ce3247b5b0
Add 2013/06/18 security patches.
2013-06-22 Andrew John Hughes <gnu.andrew@member.fsf.org>
* patches/idresolver_fix.patch:
Removed. Part of 6469266.
* Makefile.am:
(SECURITY_PATCHES): Add new ones.
(SPECIAL_SECURITY_PATCH_1): Renamed from
SPECIAL_SECURITY_PATCH.
(SPECIAL_SECURITY_PATCH_2): Add 8009071, which
needs to be applied after some AWT backports.
(ICEDTEA_PATCHES): Use SPECIAL_SECURITY_PATCH_{1,2}.
Move 8005615, 8007393 & 8007611 to SECURITY_PATCHES
as must be applied before 8004584. Add 7171223 to
end.
* patches/openjdk/6307603-xrender-01.patch,
* patches/openjdk/6469266-xmlsec_1.4.2.patch,
* patches/openjdk/6656651-windows_lcd_glyphs.patch,
* patches/openjdk/6786028-wcag_bold_tags.patch,
* patches/openjdk/6786682-wcag_lang.patch,
* patches/openjdk/6786688-wcag_table.patch,
* patches/openjdk/6786690-wcag_dl.patch,
* patches/openjdk/6802694-no_deprecated.patch,
* patches/openjdk/6851834-restructure.patch,
* patches/openjdk/6888167-medialib_memory_leaks.patch,
* patches/openjdk/6961178-doclet_xml.patch,
* patches/openjdk/6990754-use_native_memory_for_symboltable.patch,
* patches/openjdk/7006270-regressions.patch,
* patches/openjdk/7008809-report_class_in_arraystoreexception.patch,
* patches/openjdk/7014851-unused_parallel_compaction_code.patch,
* patches/openjdk/7017732-move_static_fields_to_class.patch,
* patches/openjdk/7036747-elfstringtable.patch,
* patches/openjdk/7086585-flexible_field_injection.patch,
* patches/openjdk/7171223-strict_aliasing.patch,
* patches/openjdk/7195301-no_instanceof_node.patch,
* patches/security/20130618/6741606-apache_santuario.patch,
* patches/security/20130618/7158805-nested_subroutine_rewriting.patch,
* patches/security/20130618/7170730-windows_network_stack.patch,
* patches/security/20130618/8000638-improve_deserialization.patch,
* patches/security/20130618/8000642-better_transportation_handling.patch,
* patches/security/20130618/8001032-restrict_object_access-corba.patch,
* patches/security/20130618/8001032-restrict_object_access-jdk.patch,
* patches/security/20130618/8001033-refactor_address_handling.patch,
* patches/security/20130618/8001034-memory_management.patch,
* patches/security/20130618/8001038-resourcefully_handle_resources.patch,
* patches/security/20130618/8001043-clarify_definition_restrictions.patch,
* patches/security/20130618/8001309-better_handling_of_annotation_interfaces.patch,
* patches/security/20130618/8001318-6_fixup.patch,
* patches/security/20130618/8001318-socket_getlocaladdress_consistency.patch,
* patches/security/20130618/8001330-checking_order_improvement.patch,
* patches/security/20130618/8001330-improve_checking_order.patch,
* patches/security/20130618/8003703-update_rmi_connection_dialog.patch,
* patches/security/20130618/8004584-augment_applet_contextualization.patch,
* patches/security/20130618/8005007-better_glyph_processing.patch,
* patches/security/20130618/8006328-6_fixup.patch,
* patches/security/20130618/8006328-sound_class_robustness.patch,
* patches/security/20130618/8006611-improve_scripting.patch,
* patches/security/20130618/8007467-improve_jmx_internal_api_robustness.patch,
* patches/security/20130618/8007471-6_fixup.patch,
* patches/security/20130618/8007471-improve_mbean_notifications.patch,
* patches/security/20130618/8007812-getenclosingmethod.patch,
* patches/security/20130618/8008120-improve_jmx_class_checking.patch,
* patches/security/20130618/8008124-better_compliance_testing.patch,
* patches/security/20130618/8008128-better_jmx_api_coherence.patch,
* patches/security/20130618/8008132-better_serialization.patch,
* patches/security/20130618/8008585-jmx_data_handling.patch,
* patches/security/20130618/8008593-better_urlclassloader.patch,
* patches/security/20130618/8008603-jmx_provider_provision.patch,
* patches/security/20130618/8008611-6_fixup.patch,
* patches/security/20130618/8008611-jmx_annotations.patch,
* patches/security/20130618/8008615-jmx_internal_api_robustness.patch,
* patches/security/20130618/8008623-mbeanserver_handling.patch,
* patches/security/20130618/8008744-6741606_rework.patch,
* patches/security/20130618/8008982-jmx_interface_changes.patch,
* patches/security/20130618/8009004-rmi_connection_improvement.patch,
* patches/security/20130618/8009013-t2k_glyphs.patch,
* patches/security/20130618/8009034-jmx_notification_improvement.patch,
* patches/security/20130618/8009038-jmx_notification_support_improvement.patch,
* patches/security/20130618/8009067-improve_key_storing.patch,
* patches/security/20130618/8009071-improve_shape_handling.patch,
* patches/security/20130618/8009235-improve_tsa_data_handling.patch,
* patches/security/20130618/8009554-serialjavaobject.patch,
* patches/security/20130618/8011243-improve_imaginglib.patch,
* patches/security/20130618/8011248-better_component_rasters.patch,
* patches/security/20130618/8011253-better_short_component_rasters.patch,
* patches/security/20130618/8011257-better_byte_component_rasters.patch,
* patches/security/20130618/8011557-improve_reflection.patch,
* patches/security/20130618/8012375-javadoc_framing.patch,
* patches/security/20130618/8012421-better_positioning.patch,
* patches/security/20130618/8012438-better_image_validation.patch,
* patches/security/20130618/8012597-better_image_channel_validation.patch,
* patches/security/20130618/8012601-better_layout_validation.patch,
* patches/security/20130618/8014281-better_xml_signature_checking.patch,
* patches/security/20130618/8015997-more_javadoc_framing.patch,
* patches/security/20130618/diamond_fix.patch,
* patches/security/20130618/handle_npe.patch,
* patches/security/20130618/hs_merge-01.patch,
* patches/security/20130618/hs_merge-02.patch,
* patches/security/20130618/hs_merge-03.patch,
* patches/security/20130618/hs_merge-04.patch,
* patches/security/20130618/javac_issue.patch,
* patches/security/20130618/langtools_generics.patch,
* patches/security/20130618/langtools_merge-01.patch,
* patches/security/20130618/langtools_merge-02.patch,
* patches/security/20130618/langtools_merge-03.patch:
2013/06/18 security patches.
* patches/apache-xml-internal-fix-bug-38655.patch: Remove.
| author | Andrew John Hughes <gnu.andrew@redhat.com> |
|---|---|
| date | Sat, 22 Jun 2013 16:38:24 -0500 |
| parents | |
| children |
line wrap: on
line source
# HG changeset patch # User bae # Date 1366802624 -14400 # Node ID 63028eef41bcd0e7ea49d333dc25ad27cd5e33a4 # Parent 92ad159889b19b66a64cd3c89b628132fe089354 8012438: Better image validation Reviewed-by: mschoene, prr, vadim diff --git a/src/share/classes/java/awt/image/ComponentSampleModel.java b/src/share/classes/java/awt/image/ComponentSampleModel.java --- openjdk/jdk/src/share/classes/java/awt/image/ComponentSampleModel.java +++ openjdk/jdk/src/share/classes/java/awt/image/ComponentSampleModel.java @@ -148,7 +148,7 @@ this.pixelStride = pixelStride; this.scanlineStride = scanlineStride; this.bandOffsets = (int[])bandOffsets.clone(); - numBands = bandOffsets.length; + numBands = this.bandOffsets.length; if (pixelStride < 0) { throw new IllegalArgumentException("Pixel stride must be >= 0"); } @@ -223,24 +223,24 @@ (dataType > DataBuffer.TYPE_DOUBLE)) { throw new IllegalArgumentException("Unsupported dataType."); } - int maxBank = bankIndices[0]; + int maxBank = this.bankIndices[0]; if (maxBank < 0) { throw new IllegalArgumentException("Index of bank 0 is less than "+ "0 ("+maxBank+")"); } - for (int i=1; i < bankIndices.length; i++) { - if (bankIndices[i] > maxBank) { - maxBank = bankIndices[i]; + for (int i=1; i < this.bankIndices.length; i++) { + if (this.bankIndices[i] > maxBank) { + maxBank = this.bankIndices[i]; } - else if (bankIndices[i] < 0) { + else if (this.bankIndices[i] < 0) { throw new IllegalArgumentException("Index of bank "+i+ " is less than 0 ("+ maxBank+")"); } } numBanks = maxBank+1; - numBands = bandOffsets.length; - if (bandOffsets.length != bankIndices.length) { + numBands = this.bandOffsets.length; + if (this.bandOffsets.length != this.bankIndices.length) { throw new IllegalArgumentException("Length of bandOffsets must "+ "equal length of bankIndices."); } diff --git a/src/share/classes/java/awt/image/PixelInterleavedSampleModel.java b/src/share/classes/java/awt/image/PixelInterleavedSampleModel.java --- openjdk/jdk/src/share/classes/java/awt/image/PixelInterleavedSampleModel.java +++ openjdk/jdk/src/share/classes/java/awt/image/PixelInterleavedSampleModel.java @@ -85,11 +85,11 @@ int scanlineStride, int bandOffsets[]) { super(dataType, w, h, pixelStride, scanlineStride, bandOffsets); - int minBandOff=bandOffsets[0]; - int maxBandOff=bandOffsets[0]; - for (int i=1; i<bandOffsets.length; i++) { - minBandOff = Math.min(minBandOff,bandOffsets[i]); - maxBandOff = Math.max(maxBandOff,bandOffsets[i]); + int minBandOff=this.bandOffsets[0]; + int maxBandOff=this.bandOffsets[0]; + for (int i=1; i<this.bandOffsets.length; i++) { + minBandOff = Math.min(minBandOff,this.bandOffsets[i]); + maxBandOff = Math.max(maxBandOff,this.bandOffsets[i]); } maxBandOff -= minBandOff; if (maxBandOff > scanlineStride) { diff --git a/src/share/classes/java/awt/image/Raster.java b/src/share/classes/java/awt/image/Raster.java --- openjdk/jdk/src/share/classes/java/awt/image/Raster.java +++ openjdk/jdk/src/share/classes/java/awt/image/Raster.java @@ -257,15 +257,10 @@ int bandOffsets[], Point location) { DataBuffer d; - int bands = bandOffsets.length; - int maxBandOff = bandOffsets[0]; - for (int i=1; i < bands; i++) { - if (bandOffsets[i] > maxBandOff) { - maxBandOff = bandOffsets[i]; - } - } - int size = maxBandOff + scanlineStride*(h-1) + pixelStride*(w-1) + 1; + int size = scanlineStride * (h - 1) + // fisrt (h - 1) scans + pixelStride * w; // last scan + switch(dataType) { case DataBuffer.TYPE_BYTE: d = new DataBufferByte(size); @@ -397,7 +392,8 @@ } } int banks = maxBank + 1; - int size = maxBandOff + scanlineStride*(h-1) + (w-1) + 1; + int size = scanlineStride * (h - 1) + // fisrt (h - 1) scans + w; // last scan switch(dataType) { case DataBuffer.TYPE_BYTE: diff --git a/src/share/classes/sun/awt/image/ByteBandedRaster.java b/src/share/classes/sun/awt/image/ByteBandedRaster.java --- openjdk/jdk/src/share/classes/sun/awt/image/ByteBandedRaster.java +++ openjdk/jdk/src/share/classes/sun/awt/image/ByteBandedRaster.java @@ -755,6 +755,13 @@ + scanlineStride); } + for (int i = 0; i < data.length; i++) { + if (scanlineStride > data[i].length) { + throw new RasterFormatException("Incorrect scanline stride: " + + scanlineStride); + } + } + // Make sure data for Raster is in a legal range for (int i=0; i < dataOffsets.length; i++) { if (dataOffsets[i] < 0) { @@ -765,19 +772,20 @@ } int lastScanOffset = (height - 1) * scanlineStride; - int lastPixelOffset = lastScanOffset + (width-1); - if (lastPixelOffset < lastScanOffset) { + + if ((width - 1) > (Integer.MAX_VALUE - lastScanOffset)) { throw new RasterFormatException("Invalid raster dimension"); } + int lastPixelOffset = lastScanOffset + (width-1); int maxIndex = 0; int index; for (int i=0; i < numDataElements; i++) { - index = lastPixelOffset + dataOffsets[i]; - if (index < lastPixelOffset) { + if (dataOffsets[i] > (Integer.MAX_VALUE - lastPixelOffset)) { throw new RasterFormatException("Invalid raster dimension"); } + index = lastPixelOffset + dataOffsets[i]; if (index > maxIndex) { maxIndex = index; } diff --git a/src/share/classes/sun/awt/image/ByteComponentRaster.java b/src/share/classes/sun/awt/image/ByteComponentRaster.java --- openjdk/jdk/src/share/classes/sun/awt/image/ByteComponentRaster.java +++ openjdk/jdk/src/share/classes/sun/awt/image/ByteComponentRaster.java @@ -887,7 +887,8 @@ // we can be sure that width and height are greater than 0 if (scanlineStride < 0 || - scanlineStride > (Integer.MAX_VALUE / height)) + scanlineStride > (Integer.MAX_VALUE / height) || + scanlineStride > data.length) { // integer overflow throw new RasterFormatException("Incorrect scanline stride: " @@ -896,7 +897,8 @@ int lastScanOffset = (height - 1) * scanlineStride; if (pixelStride < 0 || - pixelStride > (Integer.MAX_VALUE / width)) + pixelStride > (Integer.MAX_VALUE / width) || + pixelStride > data.length) { // integer overflow throw new RasterFormatException("Incorrect pixel stride: " diff --git a/src/share/classes/sun/awt/image/BytePackedRaster.java b/src/share/classes/sun/awt/image/BytePackedRaster.java --- openjdk/jdk/src/share/classes/sun/awt/image/BytePackedRaster.java +++ openjdk/jdk/src/share/classes/sun/awt/image/BytePackedRaster.java @@ -1387,7 +1387,8 @@ } if (scanlineStride < 0 || - scanlineStride > (Integer.MAX_VALUE / height)) + scanlineStride > (Integer.MAX_VALUE / height) || + scanlineStride > data.length) { throw new RasterFormatException("Invalid scanline stride"); } diff --git a/src/share/classes/sun/awt/image/IntegerComponentRaster.java b/src/share/classes/sun/awt/image/IntegerComponentRaster.java --- openjdk/jdk/src/share/classes/sun/awt/image/IntegerComponentRaster.java +++ openjdk/jdk/src/share/classes/sun/awt/image/IntegerComponentRaster.java @@ -656,7 +656,8 @@ // we can be sure that width and height are greater than 0 if (scanlineStride < 0 || - scanlineStride > (Integer.MAX_VALUE / height)) + scanlineStride > (Integer.MAX_VALUE / height) || + scanlineStride > data.length) { // integer overflow throw new RasterFormatException("Incorrect scanline stride: " @@ -665,7 +666,8 @@ int lastScanOffset = (height - 1) * scanlineStride; if (pixelStride < 0 || - pixelStride > (Integer.MAX_VALUE / width)) + pixelStride > (Integer.MAX_VALUE / width) || + pixelStride > data.length) { // integer overflow throw new RasterFormatException("Incorrect pixel stride: " diff --git a/src/share/classes/sun/awt/image/ShortBandedRaster.java b/src/share/classes/sun/awt/image/ShortBandedRaster.java --- openjdk/jdk/src/share/classes/sun/awt/image/ShortBandedRaster.java +++ openjdk/jdk/src/share/classes/sun/awt/image/ShortBandedRaster.java @@ -754,6 +754,13 @@ + scanlineStride); } + for (int i = 0; i < data.length; i++) { + if (scanlineStride > data[i].length) { + throw new RasterFormatException("Incorrect scanline stride: " + + scanlineStride); + } + } + // Make sure data for Raster is in a legal range for (int i=0; i < dataOffsets.length; i++) { if (dataOffsets[i] < 0) { @@ -764,19 +771,19 @@ } int lastScanOffset = (height - 1) * scanlineStride; - int lastPixelOffset = lastScanOffset + (width-1); - if (lastPixelOffset < lastScanOffset) { + if ((width - 1) > (Integer.MAX_VALUE - lastScanOffset)) { throw new RasterFormatException("Invalid raster dimension"); } + int lastPixelOffset = lastScanOffset + (width - 1); int maxIndex = 0; int index; for (int i=0; i < numDataElements; i++) { - index = lastPixelOffset + dataOffsets[i]; - if (index < lastPixelOffset) { + if (dataOffsets[i] > (Integer.MAX_VALUE - lastPixelOffset)) { throw new RasterFormatException("Invalid raster dimension"); } + index = lastPixelOffset + dataOffsets[i]; if (index > maxIndex) { maxIndex = index; } diff --git a/src/share/classes/sun/awt/image/ShortComponentRaster.java b/src/share/classes/sun/awt/image/ShortComponentRaster.java --- openjdk/jdk/src/share/classes/sun/awt/image/ShortComponentRaster.java +++ openjdk/jdk/src/share/classes/sun/awt/image/ShortComponentRaster.java @@ -821,7 +821,8 @@ // we can be sure that width and height are greater than 0 if (scanlineStride < 0 || - scanlineStride > (Integer.MAX_VALUE / height)) + scanlineStride > (Integer.MAX_VALUE / height) || + scanlineStride > data.length) { // integer overflow throw new RasterFormatException("Incorrect scanline stride: " @@ -830,7 +831,8 @@ int lastScanOffset = (height - 1) * scanlineStride; if (pixelStride < 0 || - pixelStride > (Integer.MAX_VALUE / width)) + pixelStride > (Integer.MAX_VALUE / width) || + pixelStride > data.length) { // integer overflow throw new RasterFormatException("Incorrect pixel stride: " diff --git a/src/share/native/sun/awt/medialib/awt_ImagingLib.c b/src/share/native/sun/awt/medialib/awt_ImagingLib.c --- openjdk/jdk/src/share/native/sun/awt/medialib/awt_ImagingLib.c +++ openjdk/jdk/src/share/native/sun/awt/medialib/awt_ImagingLib.c @@ -1177,6 +1177,10 @@ static int indexes[NLUT] = INDEXES; + if (src->width != dst->width || src->height != dst->height) { + return 0; + } + for (y=0; y < src->height; y++) { int nloop, nx; int npix = src->width;