Mercurial > hg > release > icedtea6-1.6

view patches/security/20100330/6914823.patch @ 1723:d48a4f542e7d

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Add new security patches and fix srcdir!=builddir issues. 2009-03-30 Andrew John Hughes <ahughes@redhat.com> * patches/icedtea-systemtap.patch: Moved to HotSpot-specific patch tree. * Makefile.am: Add new security patches and add $(HSBUILD) to systemtap patch. Put copied OpenJDK files in openjdk-copy rather than a duplicate rt directory in the build tree. * NEWS: List new security patches. * patches/hotspot/default/systemtap.patch: From patches/icedtea-systemtap.patch. * patches/hotspot/original/icedtea-format.patch, * patches/hotspot/original/systemtap.patch: Added for original HotSpot build. * patches/security/20100330/6626217.patch, * patches/security/20100330/6633872.patch, * patches/security/20100330/6639665.patch, * patches/security/20100330/6736390.patch, * patches/security/20100330/6745393.patch, * patches/security/20100330/6887703.patch, * patches/security/20100330/6888149.patch, * patches/security/20100330/6892265.patch, * patches/security/20100330/6893947.patch, * patches/security/20100330/6893954.patch, * patches/security/20100330/6898622.patch, * patches/security/20100330/6898739.patch, * patches/security/20100330/6899653.patch, * patches/security/20100330/6902299.patch, * patches/security/20100330/6904691.patch, * patches/security/20100330/6909597.patch, * patches/security/20100330/6910590.patch, * patches/security/20100330/6914823.patch, * patches/security/20100330/6914866.patch, * patches/security/20100330/6932480.patch, * patches/security/20100330/hotspot/default/6894807.patch, * patches/security/20100330/hotspot/original/6894807.patch: New security and hardening patches http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html
author Andrew John Hughes <ahughes@redhat.com>
date Tue, 30 Mar 2010 23:04:54 +0100
parents
children
line wrap: on
line source

--- openjdk.orig/jdk/src/share/classes/sun/awt/image/ImageRepresentation.java	2010-02-17 13:30:02.571000000 +0300
+++ openjdk/jdk/src/share/classes/sun/awt/image/ImageRepresentation.java	2010-02-17 13:30:02.197000000 +0300
@@ -333,10 +333,10 @@
         hints = h;
     }
 
-    public native void setICMpixels(int x, int y, int w, int h, int[] lut,
+    private native void setICMpixels(int x, int y, int w, int h, int[] lut,
                                     byte[] pix, int off, int scansize,
                                     IntegerComponentRaster ict);
-    public native int setDiffICM(int x, int y, int w, int h, int[] lut,
+    private native int setDiffICM(int x, int y, int w, int h, int[] lut,
                                  int transPix, int numLut, IndexColorModel icm,
                                  byte[] pix, int off, int scansize,
                                  ByteComponentRaster bct, int chanOff);
@@ -361,6 +361,64 @@
                 }
                 createBufferedImage();
             }
+
+            if (w <= 0 || h <= 0) {
+                return;
+            }
+
+            int biWidth = biRaster.getWidth();
+            int biHeight = biRaster.getHeight();
+
+            int x1 = x+w;  // Overflow protection below
+            int y1 = y+h;  // Overflow protection below
+            if (x < 0) {
+                off -= x;
+                x = 0;
+            } else if (x1 < 0) {
+                x1 = biWidth;  // Must be overflow
+            }
+            if (y < 0) {
+                off -= y*scansize;
+                y = 0;
+            } else if (y1 < 0) {
+                y1 = biHeight;  // Must be overflow
+            }
+            if (x1 > biWidth) {
+                x1 = biWidth;
+            }
+            if (y1 > biHeight) {
+                y1 = biHeight;
+            }
+            if (x >= x1 || y >= y1) {
+                return;
+            }
+            // x,y,x1,y1 are all >= 0, so w,h must be >= 0
+            w = x1-x;
+            h = y1-y;
+            // off is first pixel read so it must be in bounds
+            if (off < 0 || off >= pix.length) {
+                // They overflowed their own array
+                throw new ArrayIndexOutOfBoundsException("Data offset out of bounds.");
+            }
+            // pix.length and off are >= 0 so remainder >= 0
+            int remainder = pix.length - off;
+            if (remainder < w) {
+                // They overflowed their own array
+                throw new ArrayIndexOutOfBoundsException("Data array is too short.");
+            }
+            int num;
+            if (scansize < 0) {
+                num = (off / -scansize) + 1;
+            } else if (scansize > 0) {
+                num = ((remainder-w) / scansize) + 1;
+            } else {
+                num = h;
+            }
+            if (h > num) {
+                // They overflowed their own array.
+                throw new ArrayIndexOutOfBoundsException("Data array is too short.");
+            }
+
             if (isSameCM && (cmodel != model) && (srcLUT != null) &&
                 (model instanceof IndexColorModel) &&
                 (biRaster instanceof ByteComponentRaster))