Mercurial > hg > release > icedtea6-1.8
view patches/security/20110607/7013519.patch @ 2150:e11a3915d1cf
Apply 2011/06/07 security patches.
2011-05-23 Andrew John Hughes <ahughes@redhat.com>
* Makefile.am: Add security patches.
* NEWS: List security patches.
* patches/icedtea-nio2.patch: Rerolled post-security
patching.
* patches/security/20110607/6213702.patch,
* patches/security/20110607/6618658.patch,
* patches/security/20110607/7012520.patch,
* patches/security/20110607/7013519.patch,
* patches/security/20110607/7013969.patch,
* patches/security/20110607/7013971.patch,
* patches/security/20110607/7016495.patch,
* patches/security/20110607/7020198.patch,
* patches/security/20110607/7020373.patch:
New security patches.
* patches/icedtea-xjc.patch: Rerolled after 7013971.
author | Andrew John Hughes <ahughes@redhat.com> |
---|---|
date | Tue, 24 May 2011 23:28:49 +0100 |
parents | |
children |
line wrap: on
line source
# HG changeset patch # User bae # Date 1301414029 -14400 # Node ID dc0eabbd9955ebe6a40aa931d6f3333e1f50a1b2 # Parent bfc1a4516e20e13c84b6597d7bfcbd2fbc3e0c4d 7013519: [parfait] Integer overflows in 2D code Reviewed-by: prr diff --git a/src/share/native/sun/awt/image/jpeg/imageioJPEG.c b/src/share/native/sun/awt/image/jpeg/imageioJPEG.c --- openjdk/jdk/src/share/native/sun/awt/image/jpeg/imageioJPEG.c +++ openjdk/jdk/src/share/native/sun/awt/image/jpeg/imageioJPEG.c @@ -40,6 +40,7 @@ #include <setjmp.h> #include <assert.h> #include <string.h> +#include <limits.h> /* java native interface headers */ @@ -1921,6 +1922,14 @@ Java_com_sun_imageio_plugins_jpeg_JPEGIm } // Allocate a 1-scanline buffer + if (cinfo->num_components <= 0 || + cinfo->image_width > (UINT_MAX / (unsigned int)cinfo->num_components)) + { + RELEASE_ARRAYS(env, data, src->next_input_byte); + JNU_ThrowByName(env, "javax/imageio/IIOException", + "Invalid number of color components"); + return data->abortFlag; + } scanLinePtr = (JSAMPROW)malloc(cinfo->image_width*cinfo->num_components); if (scanLinePtr == NULL) { RELEASE_ARRAYS(env, data, src->next_input_byte); diff --git a/src/share/native/sun/font/layout/SunLayoutEngine.cpp b/src/share/native/sun/font/layout/SunLayoutEngine.cpp --- openjdk/jdk/src/share/native/sun/font/layout/SunLayoutEngine.cpp +++ openjdk/jdk/src/share/native/sun/font/layout/SunLayoutEngine.cpp @@ -186,7 +186,11 @@ JNIEXPORT void JNICALL Java_sun_font_Sun jchar buffer[256]; jchar* chars = buffer; if (len > 256) { - chars = (jchar*)malloc(len * sizeof(jchar)); + size_t size = len * sizeof(jchar); + if (size / sizeof(jchar) != len) { + return; + } + chars = (jchar*)malloc(size); if (chars == 0) { return; }