Mercurial > hg > release > icedtea6-1.8

# HG changeset patch
# User bae
# Date 1301414029 -14400
# Node ID dc0eabbd9955ebe6a40aa931d6f3333e1f50a1b2
# Parent  bfc1a4516e20e13c84b6597d7bfcbd2fbc3e0c4d
7013519: [parfait] Integer overflows in 2D code
Reviewed-by: prr

diff --git a/src/share/native/sun/awt/image/jpeg/imageioJPEG.c b/src/share/native/sun/awt/image/jpeg/imageioJPEG.c
--- openjdk/jdk/src/share/native/sun/awt/image/jpeg/imageioJPEG.c
+++ openjdk/jdk/src/share/native/sun/awt/image/jpeg/imageioJPEG.c
@@ -40,6 +40,7 @@
 #include <setjmp.h>
 #include <assert.h>
 #include <string.h>
+#include <limits.h>


 /* java native interface headers */
@@ -1921,6 +1922,14 @@ Java_com_sun_imageio_plugins_jpeg_JPEGIm
     }

     // Allocate a 1-scanline buffer
+    if (cinfo->num_components <= 0 ||
+        cinfo->image_width > (UINT_MAX / (unsigned int)cinfo->num_components))
+    {
+        RELEASE_ARRAYS(env, data, src->next_input_byte);
+        JNU_ThrowByName(env, "javax/imageio/IIOException",
+                        "Invalid number of color components");
+        return data->abortFlag;
+    }
     scanLinePtr = (JSAMPROW)malloc(cinfo->image_width*cinfo->num_components);
     if (scanLinePtr == NULL) {
         RELEASE_ARRAYS(env, data, src->next_input_byte);
diff --git a/src/share/native/sun/font/layout/SunLayoutEngine.cpp b/src/share/native/sun/font/layout/SunLayoutEngine.cpp
--- openjdk/jdk/src/share/native/sun/font/layout/SunLayoutEngine.cpp
+++ openjdk/jdk/src/share/native/sun/font/layout/SunLayoutEngine.cpp
@@ -186,7 +186,11 @@ JNIEXPORT void JNICALL Java_sun_font_Sun
   jchar buffer[256];
   jchar* chars = buffer;
   if (len > 256) {
-    chars = (jchar*)malloc(len * sizeof(jchar));
+    size_t size = len * sizeof(jchar);
+    if (size / sizeof(jchar) != len) {
+      return;
+    }
+    chars = (jchar*)malloc(size);
     if (chars == 0) {
       return;
     }
author	Andrew John Hughes <ahughes@redhat.com>
date	Tue, 24 May 2011 23:28:49 +0100
parents
children