Mercurial > hg > release > icedtea6-1.12

view patches/security/20130618/8012601-better_layout_validation.patch @ 3004:08ce3247b5b0

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Add 2013/06/18 security patches. 2013-06-22 Andrew John Hughes <gnu.andrew@member.fsf.org> * patches/idresolver_fix.patch: Removed. Part of 6469266. * Makefile.am: (SECURITY_PATCHES): Add new ones. (SPECIAL_SECURITY_PATCH_1): Renamed from SPECIAL_SECURITY_PATCH. (SPECIAL_SECURITY_PATCH_2): Add 8009071, which needs to be applied after some AWT backports. (ICEDTEA_PATCHES): Use SPECIAL_SECURITY_PATCH_{1,2}. Move 8005615, 8007393 & 8007611 to SECURITY_PATCHES as must be applied before 8004584. Add 7171223 to end. * patches/openjdk/6307603-xrender-01.patch, * patches/openjdk/6469266-xmlsec_1.4.2.patch, * patches/openjdk/6656651-windows_lcd_glyphs.patch, * patches/openjdk/6786028-wcag_bold_tags.patch, * patches/openjdk/6786682-wcag_lang.patch, * patches/openjdk/6786688-wcag_table.patch, * patches/openjdk/6786690-wcag_dl.patch, * patches/openjdk/6802694-no_deprecated.patch, * patches/openjdk/6851834-restructure.patch, * patches/openjdk/6888167-medialib_memory_leaks.patch, * patches/openjdk/6961178-doclet_xml.patch, * patches/openjdk/6990754-use_native_memory_for_symboltable.patch, * patches/openjdk/7006270-regressions.patch, * patches/openjdk/7008809-report_class_in_arraystoreexception.patch, * patches/openjdk/7014851-unused_parallel_compaction_code.patch, * patches/openjdk/7017732-move_static_fields_to_class.patch, * patches/openjdk/7036747-elfstringtable.patch, * patches/openjdk/7086585-flexible_field_injection.patch, * patches/openjdk/7171223-strict_aliasing.patch, * patches/openjdk/7195301-no_instanceof_node.patch, * patches/security/20130618/6741606-apache_santuario.patch, * patches/security/20130618/7158805-nested_subroutine_rewriting.patch, * patches/security/20130618/7170730-windows_network_stack.patch, * patches/security/20130618/8000638-improve_deserialization.patch, * patches/security/20130618/8000642-better_transportation_handling.patch, * patches/security/20130618/8001032-restrict_object_access-corba.patch, * patches/security/20130618/8001032-restrict_object_access-jdk.patch, * patches/security/20130618/8001033-refactor_address_handling.patch, * patches/security/20130618/8001034-memory_management.patch, * patches/security/20130618/8001038-resourcefully_handle_resources.patch, * patches/security/20130618/8001043-clarify_definition_restrictions.patch, * patches/security/20130618/8001309-better_handling_of_annotation_interfaces.patch, * patches/security/20130618/8001318-6_fixup.patch, * patches/security/20130618/8001318-socket_getlocaladdress_consistency.patch, * patches/security/20130618/8001330-checking_order_improvement.patch, * patches/security/20130618/8001330-improve_checking_order.patch, * patches/security/20130618/8003703-update_rmi_connection_dialog.patch, * patches/security/20130618/8004584-augment_applet_contextualization.patch, * patches/security/20130618/8005007-better_glyph_processing.patch, * patches/security/20130618/8006328-6_fixup.patch, * patches/security/20130618/8006328-sound_class_robustness.patch, * patches/security/20130618/8006611-improve_scripting.patch, * patches/security/20130618/8007467-improve_jmx_internal_api_robustness.patch, * patches/security/20130618/8007471-6_fixup.patch, * patches/security/20130618/8007471-improve_mbean_notifications.patch, * patches/security/20130618/8007812-getenclosingmethod.patch, * patches/security/20130618/8008120-improve_jmx_class_checking.patch, * patches/security/20130618/8008124-better_compliance_testing.patch, * patches/security/20130618/8008128-better_jmx_api_coherence.patch, * patches/security/20130618/8008132-better_serialization.patch, * patches/security/20130618/8008585-jmx_data_handling.patch, * patches/security/20130618/8008593-better_urlclassloader.patch, * patches/security/20130618/8008603-jmx_provider_provision.patch, * patches/security/20130618/8008611-6_fixup.patch, * patches/security/20130618/8008611-jmx_annotations.patch, * patches/security/20130618/8008615-jmx_internal_api_robustness.patch, * patches/security/20130618/8008623-mbeanserver_handling.patch, * patches/security/20130618/8008744-6741606_rework.patch, * patches/security/20130618/8008982-jmx_interface_changes.patch, * patches/security/20130618/8009004-rmi_connection_improvement.patch, * patches/security/20130618/8009013-t2k_glyphs.patch, * patches/security/20130618/8009034-jmx_notification_improvement.patch, * patches/security/20130618/8009038-jmx_notification_support_improvement.patch, * patches/security/20130618/8009067-improve_key_storing.patch, * patches/security/20130618/8009071-improve_shape_handling.patch, * patches/security/20130618/8009235-improve_tsa_data_handling.patch, * patches/security/20130618/8009554-serialjavaobject.patch, * patches/security/20130618/8011243-improve_imaginglib.patch, * patches/security/20130618/8011248-better_component_rasters.patch, * patches/security/20130618/8011253-better_short_component_rasters.patch, * patches/security/20130618/8011257-better_byte_component_rasters.patch, * patches/security/20130618/8011557-improve_reflection.patch, * patches/security/20130618/8012375-javadoc_framing.patch, * patches/security/20130618/8012421-better_positioning.patch, * patches/security/20130618/8012438-better_image_validation.patch, * patches/security/20130618/8012597-better_image_channel_validation.patch, * patches/security/20130618/8012601-better_layout_validation.patch, * patches/security/20130618/8014281-better_xml_signature_checking.patch, * patches/security/20130618/8015997-more_javadoc_framing.patch, * patches/security/20130618/diamond_fix.patch, * patches/security/20130618/handle_npe.patch, * patches/security/20130618/hs_merge-01.patch, * patches/security/20130618/hs_merge-02.patch, * patches/security/20130618/hs_merge-03.patch, * patches/security/20130618/hs_merge-04.patch, * patches/security/20130618/javac_issue.patch, * patches/security/20130618/langtools_generics.patch, * patches/security/20130618/langtools_merge-01.patch, * patches/security/20130618/langtools_merge-02.patch, * patches/security/20130618/langtools_merge-03.patch: 2013/06/18 security patches. * patches/apache-xml-internal-fix-bug-38655.patch: Remove.
author Andrew John Hughes <gnu.andrew@redhat.com>
date Sat, 22 Jun 2013 16:38:24 -0500
parents
children
line wrap: on
line source

# HG changeset patch
# User bae
# Date 1366954254 -14400
# Node ID 81cfa2275a01fdc479901031e089c76c892d1c03
# Parent  940eac3712db0f139069d1048f021f0e70cbbb3a
8012601: Better validation of image layouts
Reviewed-by: mschoene, prr, vadim

diff --git a/src/share/classes/java/awt/image/BufferedImage.java b/src/share/classes/java/awt/image/BufferedImage.java
--- openjdk/jdk/src/share/classes/java/awt/image/BufferedImage.java
+++ openjdk/jdk/src/share/classes/java/awt/image/BufferedImage.java
@@ -785,6 +785,7 @@
                 }
             }
             if (is8bit &&
+                braster.getPixelStride() == numBands &&
                 offs[0] == numBands-1 &&
                 offs[1] == numBands-2 &&
                 offs[2] == numBands-3 &&
diff --git a/src/share/classes/sun/java2d/cmm/lcms/LCMSImageLayout.java b/src/share/classes/sun/java2d/cmm/lcms/LCMSImageLayout.java
--- openjdk/jdk/src/share/classes/sun/java2d/cmm/lcms/LCMSImageLayout.java
+++ openjdk/jdk/src/share/classes/sun/java2d/cmm/lcms/LCMSImageLayout.java
@@ -96,6 +96,7 @@
     int width;
     int height;
     int nextRowOffset;
+    private int nextPixelOffset;
     int offset;
 
     Object dataArray;
@@ -107,6 +108,7 @@
         this.pixelType = pixelType;
         width = np;
         height = 1;
+        nextPixelOffset = pixelSize;
         nextRowOffset = safeMult(pixelSize, np);
         offset = 0;
     }
@@ -118,6 +120,7 @@
         this.pixelType = pixelType;
         this.width = width;
         this.height = height;
+        nextPixelOffset = pixelSize;
         nextRowOffset = safeMult(pixelSize, width);
         offset = 0;
     }
@@ -213,6 +216,7 @@
                 intRaster = (IntegerComponentRaster)image.getRaster();
 
                 nextRowOffset = safeMult(4, intRaster.getScanlineStride());
+                nextPixelOffset = safeMult(4, intRaster.getPixelStride());
 
                 offset = safeMult(4, intRaster.getDataOffset(0));
 
@@ -225,6 +229,8 @@
             case BufferedImage.TYPE_4BYTE_ABGR:
                 byteRaster = (ByteComponentRaster)image.getRaster();
                 nextRowOffset = byteRaster.getScanlineStride();
+                nextPixelOffset = byteRaster.getPixelStride();
+
                 int firstBand = image.getSampleModel().getNumBands() - 1;
                 offset = byteRaster.getDataOffset(firstBand);
                 dataArray = byteRaster.getDataStorage();
@@ -235,6 +241,8 @@
             case BufferedImage.TYPE_BYTE_GRAY:
                 byteRaster = (ByteComponentRaster)image.getRaster();
                 nextRowOffset = byteRaster.getScanlineStride();
+                nextPixelOffset = byteRaster.getPixelStride();
+
                 offset = byteRaster.getDataOffset(0);
                 dataArray = byteRaster.getDataStorage();
                 dataArrayLength = byteRaster.getDataStorage().length;
@@ -244,6 +252,8 @@
             case BufferedImage.TYPE_USHORT_GRAY:
                 shortRaster = (ShortComponentRaster)image.getRaster();
                 nextRowOffset = safeMult(2, shortRaster.getScanlineStride());
+                nextPixelOffset = safeMult(2, shortRaster.getPixelStride());
+
                 offset = safeMult(2, shortRaster.getDataOffset(0));
                 dataArray = shortRaster.getDataStorage();
                 dataArrayLength = 2 * shortRaster.getDataStorage().length;
@@ -273,9 +283,15 @@
             throw new ImageLayoutException("Invalid image layout");
         }
 
-        int lastPixelOffset = safeMult(nextRowOffset, (height - 1));
+        if (nextPixelOffset != getBytesPerPixel(pixelType)) {
+            throw new ImageLayoutException("Invalid image layout");
+        }
 
-        lastPixelOffset = safeAdd(lastPixelOffset, (width - 1));
+        int lastScanOffset = safeMult(nextRowOffset, (height - 1));
+
+        int lastPixelOffset = safeMult(nextPixelOffset, (width -1 ));
+
+        lastPixelOffset = safeAdd(lastPixelOffset, lastScanOffset);
 
         int off = safeAdd(offset, lastPixelOffset);
 
@@ -307,4 +323,25 @@
             super(message);
         }
     }
+
+    /**
+     * Derives number of bytes per pixel from the pixel format.
+     * Following bit fields are used here:
+     *  [0..2] - bytes per sample
+     *  [3..6] - number of color samples per pixel
+     *  [7..9] - number of non-color samples per pixel
+     *
+     * A complete description of the pixel format can be found
+     * here: lcms2.h, lines 651 - 667.
+     *
+     * @param pixelType pixel format in lcms2 notation.
+     * @return number of bytes per pixel for given pixel format.
+     */
+    private static int getBytesPerPixel(int pixelType) {
+        int bytesPerSample = (0x7 & pixelType);
+        int colorSamplesPerPixel = 0xF & (pixelType >> 3);
+        int extraSamplesPerPixel = 0x7 & (pixelType >> 7);
+
+        return bytesPerSample * (colorSamplesPerPixel + extraSamplesPerPixel);
+    }
 }