Mercurial > hg > release > icedtea6-1.6
view patches/security/20100330/6914866.patch @ 1723:d48a4f542e7d
Add new security patches and fix srcdir!=builddir issues.
2009-03-30 Andrew John Hughes <ahughes@redhat.com>
* patches/icedtea-systemtap.patch:
Moved to HotSpot-specific patch tree.
* Makefile.am: Add new security patches
and add $(HSBUILD) to systemtap patch.
Put copied OpenJDK files in openjdk-copy
rather than a duplicate rt directory
in the build tree.
* NEWS: List new security patches.
* patches/hotspot/default/systemtap.patch:
From patches/icedtea-systemtap.patch.
* patches/hotspot/original/icedtea-format.patch,
* patches/hotspot/original/systemtap.patch:
Added for original HotSpot build.
* patches/security/20100330/6626217.patch,
* patches/security/20100330/6633872.patch,
* patches/security/20100330/6639665.patch,
* patches/security/20100330/6736390.patch,
* patches/security/20100330/6745393.patch,
* patches/security/20100330/6887703.patch,
* patches/security/20100330/6888149.patch,
* patches/security/20100330/6892265.patch,
* patches/security/20100330/6893947.patch,
* patches/security/20100330/6893954.patch,
* patches/security/20100330/6898622.patch,
* patches/security/20100330/6898739.patch,
* patches/security/20100330/6899653.patch,
* patches/security/20100330/6902299.patch,
* patches/security/20100330/6904691.patch,
* patches/security/20100330/6909597.patch,
* patches/security/20100330/6910590.patch,
* patches/security/20100330/6914823.patch,
* patches/security/20100330/6914866.patch,
* patches/security/20100330/6932480.patch,
* patches/security/20100330/hotspot/default/6894807.patch,
* patches/security/20100330/hotspot/original/6894807.patch:
New security and hardening patches
http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html
| author | Andrew John Hughes <ahughes@redhat.com> |
|---|---|
| date | Tue, 30 Mar 2010 23:04:54 +0100 |
| parents | |
| children |
line wrap: on
line source
--- openjdk.orig/jdk/src/share/native/sun/awt/medialib/awt_ImagingLib.c 2010-02-17 13:09:00.023000000 +0300 +++ openjdk/jdk/src/share/native/sun/awt/medialib/awt_ImagingLib.c 2010-02-17 13:08:58.601000000 +0300 @@ -2216,7 +2216,8 @@ int dataType = BYTE_DATA_TYPE; int width; int height; - int size = rasterP->width * rasterP->height * rasterP->numBands; + int dataSize; + int offset; *dataPP = NULL; @@ -2269,6 +2270,22 @@ #endif switch (rasterP->type) { case sun_awt_image_IntegerComponentRaster_TYPE_INT_8BIT_SAMPLES: + if (!((rasterP->chanOffsets[0] == 0 || SAFE_TO_ALLOC_2(rasterP->chanOffsets[0], 4)) && + SAFE_TO_ALLOC_2(width, 4) && + SAFE_TO_ALLOC_3(height, rasterP->scanlineStride, 4))) + { + return -1; + } + offset = 4 * rasterP->chanOffsets[0]; + dataSize = 4 * (*env)->GetArrayLength(env, rasterP->jdata); + + if (offset < 0 || offset >= dataSize || + width > rasterP->scanlineStride || + height * rasterP->scanlineStride * 4 > dataSize - offset) + { + // raster data buffer is too short + return -1; + } dataP = (void *) (*env)->GetPrimitiveArrayCritical(env, rasterP->jdata, NULL); if (dataP == NULL) { @@ -2277,11 +2294,25 @@ *mlibImagePP = (*sMlibSysFns.createStructFP)(MLIB_BYTE, 4, width, height, rasterP->scanlineStride*4, - (unsigned char *)dataP - + rasterP->chanOffsets[0]*4); + (unsigned char *)dataP + offset); *dataPP = dataP; return 0; case sun_awt_image_IntegerComponentRaster_TYPE_BYTE_SAMPLES: + if (!(SAFE_TO_ALLOC_2(width, rasterP->numBands) && + SAFE_TO_ALLOC_2(height, rasterP->scanlineStride))) + { + return -1; + } + offset = rasterP->chanOffsets[0]; + dataSize = (*env)->GetArrayLength(env, rasterP->jdata); + + if (offset < 0 || offset >= dataSize || + width * rasterP->numBands > rasterP->scanlineStride || + height * rasterP->scanlineStride > dataSize - offset) + { + // raster data buffer is too short + return -1; + } dataP = (void *) (*env)->GetPrimitiveArrayCritical(env, rasterP->jdata, NULL); if (dataP == NULL) { @@ -2290,11 +2321,26 @@ *mlibImagePP = (*sMlibSysFns.createStructFP)(MLIB_BYTE, rasterP->numBands, width, height, rasterP->scanlineStride, - (unsigned char *)dataP - + rasterP->chanOffsets[0]); + (unsigned char *)dataP + offset); *dataPP = dataP; return 0; case sun_awt_image_IntegerComponentRaster_TYPE_USHORT_SAMPLES: + if (!((rasterP->chanOffsets[0] == 0 || SAFE_TO_ALLOC_2(rasterP->chanOffsets[0], 2)) && + SAFE_TO_ALLOC_3(width, rasterP->numBands, 2) && + SAFE_TO_ALLOC_3(height, rasterP->scanlineStride, 2))) + { + return -1; + } + offset = rasterP->chanOffsets[0] * 2; + dataSize = 2 * (*env)->GetArrayLength(env, rasterP->jdata); + + if (offset < 0 || offset >= dataSize || + width * rasterP->numBands > rasterP->scanlineStride || + height * rasterP->scanlineStride * 2 > dataSize - offset) + { + // raster data buffer is too short + return -1; + } dataP = (void *) (*env)->GetPrimitiveArrayCritical(env, rasterP->jdata, NULL); if (dataP == NULL) { @@ -2304,8 +2350,7 @@ rasterP->numBands, width, height, rasterP->scanlineStride*2, - (unsigned char *)dataP - + rasterP->chanOffsets[0]*2); + (unsigned char *)dataP + offset); *dataPP = dataP; return 0; --- openjdk.orig/jdk/src/share/native/sun/awt/medialib/safe_alloc.h 2010-02-17 13:09:12.672000000 +0300 +++ openjdk/jdk/src/share/native/sun/awt/medialib/safe_alloc.h 2010-02-17 13:09:11.501000000 +0300 @@ -35,11 +35,11 @@ */ #define SAFE_TO_ALLOC_2(c, sz) \ (((c) > 0) && ((sz) > 0) && \ - ((0xffffffffu / ((juint)(c))) > (sz))) + ((0xffffffffu / ((juint)(c))) > ((juint)(sz)))) #define SAFE_TO_ALLOC_3(w, h, sz) \ (((w) > 0) && ((h) > 0) && ((sz) > 0) && \ - (((0xffffffffu / ((juint)(w))) / ((juint)(h))) > (sz))) + (((0xffffffffu / ((juint)(w))) / ((juint)(h))) > ((juint)(sz)))) #endif // __SAFE_ALLOC_H__