Mercurial > hg > release > icedtea6-1.8
changeset 2150:e11a3915d1cf
Apply 2011/06/07 security patches.
2011-05-23 Andrew John Hughes <ahughes@redhat.com>
* Makefile.am: Add security patches.
* NEWS: List security patches.
* patches/icedtea-nio2.patch: Rerolled post-security
patching.
* patches/security/20110607/6213702.patch,
* patches/security/20110607/6618658.patch,
* patches/security/20110607/7012520.patch,
* patches/security/20110607/7013519.patch,
* patches/security/20110607/7013969.patch,
* patches/security/20110607/7013971.patch,
* patches/security/20110607/7016495.patch,
* patches/security/20110607/7020198.patch,
* patches/security/20110607/7020373.patch:
New security patches.
* patches/icedtea-xjc.patch: Rerolled after 7013971.
| author | Andrew John Hughes <ahughes@redhat.com> |
|---|---|
| date | Tue, 24 May 2011 23:28:49 +0100 |
| parents | b0f229f276be |
| children | 2cc9c0e4eade |
| files | ChangeLog Makefile.am NEWS patches/icedtea-nio2.patch patches/icedtea-xjc.patch patches/security/20110607/6213702.patch patches/security/20110607/6618658.patch patches/security/20110607/7012520.patch patches/security/20110607/7013519.patch patches/security/20110607/7013969.patch patches/security/20110607/7013971.patch patches/security/20110607/7016495.patch patches/security/20110607/7020198.patch patches/security/20110607/7020373.patch |
| diffstat | 14 files changed, 1049 insertions(+), 72 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog Fri Apr 15 15:21:25 2011 +0200 +++ b/ChangeLog Tue May 24 23:28:49 2011 +0100 @@ -1,3 +1,21 @@ +2011-05-23 Andrew John Hughes <ahughes@redhat.com> + + * Makefile.am: Add security patches. + * NEWS: List security patches. + * patches/icedtea-nio2.patch: Rerolled post-security + patching. + * patches/security/20110607/6213702.patch, + * patches/security/20110607/6618658.patch, + * patches/security/20110607/7012520.patch, + * patches/security/20110607/7013519.patch, + * patches/security/20110607/7013969.patch, + * patches/security/20110607/7013971.patch, + * patches/security/20110607/7016495.patch, + * patches/security/20110607/7020198.patch, + * patches/security/20110607/7020373.patch: + New security patches. + * patches/icedtea-xjc.patch: Rerolled after 7013971. + 2011-04-15 Pavel Tisnovsky <ptisnovs@redhat.com> * Makefile.am: Add new patch.
--- a/Makefile.am Fri Apr 15 15:21:25 2011 +0200 +++ b/Makefile.am Tue May 24 23:28:49 2011 +0100 @@ -259,7 +259,16 @@ patches/security/20110215/6983554.patch \ patches/security/20110215/6994263.patch \ patches/security/20110215/6985453.patch \ - patches/security/20110215/6927050.patch + patches/security/20110215/6927050.patch \ + patches/security/20110607/6213702.patch \ + patches/security/20110607/6618658.patch \ + patches/security/20110607/7012520.patch \ + patches/security/20110607/7013519.patch \ + patches/security/20110607/7013969.patch \ + patches/security/20110607/7013971.patch \ + patches/security/20110607/7016495.patch \ + patches/security/20110607/7020198.patch \ + patches/security/20110607/7020373.patch ICEDTEA_PATCHES = \ $(SECURITY_PATCHES) \
--- a/NEWS Fri Apr 15 15:21:25 2011 +0200 +++ b/NEWS Tue May 24 23:28:49 2011 +0100 @@ -10,6 +10,17 @@ New in release 1.8.8 (20XX-XX-XX): +* Security fixes + - S6213702, CVE-2011-0872: (so) non-blocking sockets with TCP urgent disabled get still selected for read ops (win) + - S6618658, CVE-2011-0865: Vulnerability in deserialization + - S7012520, CVE-2011-0815: Heap overflow vulnerability in FileDialog.show() + - S7013519, CVE-2011-0822, CVE-2011-0862: Integer overflows in 2D code + - S7013969, CVE-2011-0867: NetworkInterface.toString can reveal bindings + - S7013971, CVE-2011-0869: Vulnerability in SAAJ + - S7016340, CVE-2011-0870: Vulnerability in SAAJ + - S7016495, CVE-2011-0868: Crash in Java 2D transforming an image with scale close to zero + - S7020198, CVE-2011-0871: ImageIcon creates Component with null acc + - S7020373, CVE-2011-0864: JSR rewriting can overflow memory address size variables * Backports - S6675802: Regression: heavyweight popups cause SecurityExceptions in applets - S6691503: Malicious applet can show always-on-top popup menu which has whole screen size
--- a/patches/icedtea-nio2.patch Fri Apr 15 15:21:25 2011 +0200 +++ b/patches/icedtea-nio2.patch Tue May 24 23:28:49 2011 +0100 @@ -1,6 +1,6 @@ diff -Nru openjdk.orig/jdk/make/docs/CORE_PKGS.gmk openjdk/jdk/make/docs/CORE_PKGS.gmk ---- openjdk.orig/jdk/make/docs/CORE_PKGS.gmk 2009-10-14 18:17:14.000000000 +0100 -+++ openjdk/jdk/make/docs/CORE_PKGS.gmk 2011-02-09 18:08:16.658865718 +0000 +--- openjdk.orig/jdk/make/docs/CORE_PKGS.gmk 2010-02-17 03:14:12.000000000 +0000 ++++ openjdk/jdk/make/docs/CORE_PKGS.gmk 2011-05-24 16:56:10.111489988 +0100 @@ -36,6 +36,7 @@ sunw.* \ com.sun.* \ @@ -10,9 +10,9 @@ org.w3c.dom.css \ org.w3c.dom.html \ diff -Nru openjdk.orig/jdk/make/docs/Makefile openjdk/jdk/make/docs/Makefile ---- openjdk.orig/jdk/make/docs/Makefile 2011-02-09 18:07:27.000000000 +0000 -+++ openjdk/jdk/make/docs/Makefile 2011-02-09 18:08:16.666865802 +0000 -@@ -404,6 +404,29 @@ +--- openjdk.orig/jdk/make/docs/Makefile 2011-05-24 16:39:30.000000000 +0100 ++++ openjdk/jdk/make/docs/Makefile 2011-05-24 16:56:10.115490058 +0100 +@@ -405,6 +405,29 @@ # TREEAPI_PKGS is located in NON_CORE_PKGS.gmk # @@ -42,7 +42,7 @@ # Path where javadoc should find source files for release docs # RELEASEDOCS_SRCPATH = "$(SHARE_SRC)/classes$(CLASSPATH_SEPARATOR)$(PLATFORM_SRC)/classes$(CLASSPATH_SEPARATOR)$(GENSRCDIR)$(CLASSPATH_SEPARATOR)$(SHARE_SRC)/doc/stub$(CLASSPATH_SEPARATOR)$(CLOSED_SRC)/share/classes$(CLASSPATH_SEPARATOR)$(IMPORTSRCDIR)" -@@ -429,7 +452,8 @@ +@@ -430,7 +453,8 @@ httpserverdocs \ mgmtdocs \ attachdocs \ @@ -52,7 +52,7 @@ ifdef LANGTOOLS_DIST ALL_OTHER_TARGETS += \ -@@ -646,6 +670,14 @@ +@@ -647,6 +671,14 @@ $(TREEAPI_LINKOPT) \ $(TREEAPI_PKGS) @@ -68,8 +68,8 @@ # List the values defined in the makefile hierarchy, to make sure everything # is set properly, and to help identify values we can use instead of making new ones. diff -Nru openjdk.orig/jdk/make/docs/NON_CORE_PKGS.gmk openjdk/jdk/make/docs/NON_CORE_PKGS.gmk ---- openjdk.orig/jdk/make/docs/NON_CORE_PKGS.gmk 2011-02-09 18:07:28.000000000 +0000 -+++ openjdk/jdk/make/docs/NON_CORE_PKGS.gmk 2011-02-09 18:08:16.666865802 +0000 +--- openjdk.orig/jdk/make/docs/NON_CORE_PKGS.gmk 2011-05-24 16:39:31.000000000 +0100 ++++ openjdk/jdk/make/docs/NON_CORE_PKGS.gmk 2011-05-24 16:56:10.115490058 +0100 @@ -65,6 +65,16 @@ HTTPSERVER_PKGS = com.sun.net.httpserver \ com.sun.net.httpserver.spi @@ -87,8 +87,8 @@ DOCLETAPI_PKGS = com.sun.javadoc TAGLETAPI_FILE = com/sun/tools/doclets/Taglet.java -@@ -94,6 +104,7 @@ - $(JAVASCRIPT_PKGS) \ +@@ -93,6 +103,7 @@ + $(MGMT_PKGS) \ $(JAAS_PKGS) \ $(JGSS_PKGS) \ + $(NIO2_PKGS) \ @@ -96,9 +96,9 @@ $(HTTPSERVER_PKGS) \ $(SMARTCARDIO_PKGS) \ diff -Nru openjdk.orig/jdk/make/java/java/FILES_java.gmk openjdk/jdk/make/java/java/FILES_java.gmk ---- openjdk.orig/jdk/make/java/java/FILES_java.gmk 2011-02-09 18:07:21.000000000 +0000 -+++ openjdk/jdk/make/java/java/FILES_java.gmk 2011-02-09 18:08:16.666865802 +0000 -@@ -517,6 +517,13 @@ +--- openjdk.orig/jdk/make/java/java/FILES_java.gmk 2011-05-24 16:39:29.000000000 +0100 ++++ openjdk/jdk/make/java/java/FILES_java.gmk 2011-05-24 16:56:10.115490058 +0100 +@@ -518,6 +518,13 @@ sun/misc/JavaLangAccess.java \ sun/misc/JavaIOAccess.java \ sun/misc/JavaIODeleteOnExitAccess.java \ @@ -114,8 +114,8 @@ FILES_java = $(JAVA_JAVA_java) diff -Nru openjdk.orig/jdk/make/java/nio/FILES_java.gmk openjdk/jdk/make/java/nio/FILES_java.gmk ---- openjdk.orig/jdk/make/java/nio/FILES_java.gmk 2011-02-09 18:07:22.000000000 +0000 -+++ openjdk/jdk/make/java/nio/FILES_java.gmk 2011-02-09 18:08:16.666865802 +0000 +--- openjdk.orig/jdk/make/java/nio/FILES_java.gmk 2011-05-24 16:39:30.000000000 +0100 ++++ openjdk/jdk/make/java/nio/FILES_java.gmk 2011-05-24 16:56:10.115490058 +0100 @@ -75,12 +75,13 @@ sun/nio/ch/DefaultSelectorProvider.java \ sun/nio/ch/DirectBuffer.java \ @@ -139,7 +139,7 @@ sun/nio/ch/SocketOpts.java \ sun/nio/ch/SocketOptsImpl.java \ sun/nio/ch/SourceChannelImpl.java \ -@@ -144,7 +146,150 @@ +@@ -145,7 +147,150 @@ java/lang/StringCoding.java \ \ sun/misc/Cleaner.java \ @@ -291,7 +291,7 @@ # Generated coder classes # -@@ -263,10 +408,20 @@ +@@ -264,10 +409,20 @@ \ java/nio/charset/CharacterCodingException.java \ java/nio/charset/IllegalCharsetNameException.java \ @@ -315,8 +315,8 @@ FILES_java = $(FILES_src) $(FILES_gen) diff -Nru openjdk.orig/jdk/make/java/nio/Makefile openjdk/jdk/make/java/nio/Makefile ---- openjdk.orig/jdk/make/java/nio/Makefile 2011-02-09 18:07:22.000000000 +0000 -+++ openjdk/jdk/make/java/nio/Makefile 2011-02-09 18:08:16.666865802 +0000 +--- openjdk.orig/jdk/make/java/nio/Makefile 2011-05-24 16:39:30.000000000 +0100 ++++ openjdk/jdk/make/java/nio/Makefile 2011-05-24 16:56:10.119490127 +0100 @@ -40,6 +40,11 @@ SNIO_SRC = $(SHARE_SRC)/classes/sun/nio SNIO_GEN = $(GENSRCDIR)/sun/nio @@ -663,8 +663,8 @@ + .PHONY: sources diff -Nru openjdk.orig/jdk/make/java/nio/mapfile-linux openjdk/jdk/make/java/nio/mapfile-linux ---- openjdk.orig/jdk/make/java/nio/mapfile-linux 2009-10-14 18:17:15.000000000 +0100 -+++ openjdk/jdk/make/java/nio/mapfile-linux 2011-02-09 18:08:16.666865802 +0000 +--- openjdk.orig/jdk/make/java/nio/mapfile-linux 2010-02-17 03:14:13.000000000 +0000 ++++ openjdk/jdk/make/java/nio/mapfile-linux 2011-05-24 16:56:10.119490127 +0100 @@ -20,6 +20,14 @@ Java_sun_nio_ch_EPollArrayWrapper_interrupt; Java_sun_nio_ch_EPollArrayWrapper_offsetofData; @@ -781,8 +781,8 @@ local: *; diff -Nru openjdk.orig/jdk/make/java/nio/mapfile-solaris openjdk/jdk/make/java/nio/mapfile-solaris ---- openjdk.orig/jdk/make/java/nio/mapfile-solaris 2009-10-14 18:17:15.000000000 +0100 -+++ openjdk/jdk/make/java/nio/mapfile-solaris 2011-02-09 18:08:16.666865802 +0000 +--- openjdk.orig/jdk/make/java/nio/mapfile-solaris 2010-02-17 03:14:13.000000000 +0000 ++++ openjdk/jdk/make/java/nio/mapfile-solaris 2011-05-24 16:56:10.119490127 +0100 @@ -73,6 +73,75 @@ Java_sun_nio_ch_ServerSocketChannelImpl_listen; Java_sun_nio_ch_SocketChannelImpl_checkConnect; @@ -860,8 +860,8 @@ local: *; diff -Nru openjdk.orig/jdk/make/mkdemo/Makefile openjdk/jdk/make/mkdemo/Makefile ---- openjdk.orig/jdk/make/mkdemo/Makefile 2009-10-14 18:17:15.000000000 +0100 -+++ openjdk/jdk/make/mkdemo/Makefile 2011-02-09 18:08:16.666865802 +0000 +--- openjdk.orig/jdk/make/mkdemo/Makefile 2010-02-17 03:14:13.000000000 +0000 ++++ openjdk/jdk/make/mkdemo/Makefile 2011-05-24 16:56:10.119490127 +0100 @@ -31,7 +31,7 @@ PRODUCT = demos include $(BUILDDIR)/common/Defs.gmk @@ -872,8 +872,8 @@ all build:: nbproject $(SUBDIRS-loop) diff -Nru openjdk.orig/jdk/make/mksample/nio/Makefile openjdk/jdk/make/mksample/nio/Makefile ---- openjdk.orig/jdk/make/mksample/nio/Makefile 2009-10-14 18:17:15.000000000 +0100 -+++ openjdk/jdk/make/mksample/nio/Makefile 2011-02-09 18:08:16.666865802 +0000 +--- openjdk.orig/jdk/make/mksample/nio/Makefile 2010-02-17 03:14:13.000000000 +0000 ++++ openjdk/jdk/make/mksample/nio/Makefile 2011-05-24 16:56:10.119490127 +0100 @@ -31,7 +31,7 @@ PRODUCT = java include $(BUILDDIR)/common/Defs.gmk @@ -884,8 +884,8 @@ $(SUBDIRS-loop) diff -Nru openjdk.orig/jdk/src/share/classes/java/io/File.java openjdk/jdk/src/share/classes/java/io/File.java ---- openjdk.orig/jdk/src/share/classes/java/io/File.java 2011-02-09 18:07:20.000000000 +0000 -+++ openjdk/jdk/src/share/classes/java/io/File.java 2011-02-09 18:08:16.666865802 +0000 +--- openjdk.orig/jdk/src/share/classes/java/io/File.java 2011-05-24 16:39:24.000000000 +0100 ++++ openjdk/jdk/src/share/classes/java/io/File.java 2011-05-24 16:56:10.119490127 +0100 @@ -1958,6 +1958,13 @@ } } @@ -901,27 +901,28 @@ diff -Nru openjdk.orig/jdk/src/share/classes/java/net/NetworkInterface.java openjdk/jdk/src/share/classes/java/net/NetworkInterface.java ---- openjdk.orig/jdk/src/share/classes/java/net/NetworkInterface.java 2011-02-09 18:07:20.000000000 +0000 -+++ openjdk/jdk/src/share/classes/java/net/NetworkInterface.java 2011-02-09 18:08:16.666865802 +0000 -@@ -536,4 +536,15 @@ +--- openjdk.orig/jdk/src/share/classes/java/net/NetworkInterface.java 2011-05-24 16:39:28.000000000 +0100 ++++ openjdk/jdk/src/share/classes/java/net/NetworkInterface.java 2011-05-24 16:56:33.199889370 +0100 +@@ -531,4 +531,16 @@ } + private static native void init(); - ++ + // Set up JavaIODeleteOnExitAccess in SharedSecrets + // Added here as getIndex is package-private and SharedSecrets cannot easily access it. + static { -+ org.classpath.icedtea.misc.SharedSecrets.setJavaNetGetIndexAccess( ++ org.classpath.icedtea.misc.SharedSecrets.setJavaNetGetIndexAccess( + new org.classpath.icedtea.misc.JavaNetGetIndexAccess() { -+ public int getIndex(NetworkInterface nf) { return nf.getIndex(); } -+ public NetworkInterface getByIndex(int i) { return getByIndex(i); } ++ public int getIndex(NetworkInterface nf) { return nf.getIndex(); } ++ public NetworkInterface getByIndex(int i) { return getByIndex(i); } + } -+ ); ++ ); + } + } diff -Nru openjdk.orig/jdk/src/share/classes/java/util/concurrent/ThreadPoolExecutor.java openjdk/jdk/src/share/classes/java/util/concurrent/ThreadPoolExecutor.java ---- openjdk.orig/jdk/src/share/classes/java/util/concurrent/ThreadPoolExecutor.java 2009-10-14 18:17:30.000000000 +0100 -+++ openjdk/jdk/src/share/classes/java/util/concurrent/ThreadPoolExecutor.java 2011-02-09 18:08:16.666865802 +0000 +--- openjdk.orig/jdk/src/share/classes/java/util/concurrent/ThreadPoolExecutor.java 2010-02-17 03:14:25.000000000 +0000 ++++ openjdk/jdk/src/share/classes/java/util/concurrent/ThreadPoolExecutor.java 2011-05-24 16:56:10.119490127 +0100 @@ -2004,4 +2004,23 @@ } } @@ -947,8 +948,8 @@ + } diff -Nru openjdk.orig/jdk/src/share/classes/sun/misc/Unsafe.java openjdk/jdk/src/share/classes/sun/misc/Unsafe.java ---- openjdk.orig/jdk/src/share/classes/sun/misc/Unsafe.java 2009-10-14 18:17:41.000000000 +0100 -+++ openjdk/jdk/src/share/classes/sun/misc/Unsafe.java 2011-02-09 18:08:16.682865972 +0000 +--- openjdk.orig/jdk/src/share/classes/sun/misc/Unsafe.java 2010-02-17 03:14:33.000000000 +0000 ++++ openjdk/jdk/src/share/classes/sun/misc/Unsafe.java 2011-05-24 16:56:10.119490127 +0100 @@ -504,9 +504,33 @@ /** * Sets all bytes in a given block of memory to a copy of another @@ -996,8 +997,8 @@ * Report the scale factor for addressing elements in the storage * allocation of a given array class. However, arrays of "narrow" types diff -Nru openjdk.orig/jdk/src/share/classes/sun/nio/ch/DatagramChannelImpl.java openjdk/jdk/src/share/classes/sun/nio/ch/DatagramChannelImpl.java ---- openjdk.orig/jdk/src/share/classes/sun/nio/ch/DatagramChannelImpl.java 2011-02-09 18:07:20.000000000 +0000 -+++ openjdk/jdk/src/share/classes/sun/nio/ch/DatagramChannelImpl.java 2011-02-09 18:09:30.467645679 +0000 +--- openjdk.orig/jdk/src/share/classes/sun/nio/ch/DatagramChannelImpl.java 2011-05-24 16:39:25.000000000 +0100 ++++ openjdk/jdk/src/share/classes/sun/nio/ch/DatagramChannelImpl.java 2011-05-24 16:56:10.119490127 +0100 @@ -29,9 +29,29 @@ import java.io.IOException; import java.net.*; @@ -1462,8 +1463,8 @@ + } diff -Nru openjdk.orig/jdk/src/share/classes/sun/nio/ch/FileChannelImpl.java openjdk/jdk/src/share/classes/sun/nio/ch/FileChannelImpl.java ---- openjdk.orig/jdk/src/share/classes/sun/nio/ch/FileChannelImpl.java 2009-10-14 18:17:41.000000000 +0100 -+++ openjdk/jdk/src/share/classes/sun/nio/ch/FileChannelImpl.java 2011-02-09 18:08:16.682865972 +0000 +--- openjdk.orig/jdk/src/share/classes/sun/nio/ch/FileChannelImpl.java 2010-02-17 03:14:34.000000000 +0000 ++++ openjdk/jdk/src/share/classes/sun/nio/ch/FileChannelImpl.java 2011-05-24 16:56:10.119490127 +0100 @@ -32,8 +32,15 @@ import java.io.IOException; import java.nio.ByteBuffer; @@ -1513,8 +1514,8 @@ ensureOpen(); int rv = -1; diff -Nru openjdk.orig/jdk/src/share/classes/sun/nio/ch/Net.java openjdk/jdk/src/share/classes/sun/nio/ch/Net.java ---- openjdk.orig/jdk/src/share/classes/sun/nio/ch/Net.java 2011-02-09 18:07:20.000000000 +0000 -+++ openjdk/jdk/src/share/classes/sun/nio/ch/Net.java 2011-02-09 18:10:11.680081053 +0000 +--- openjdk.orig/jdk/src/share/classes/sun/nio/ch/Net.java 2011-05-24 16:39:25.000000000 +0100 ++++ openjdk/jdk/src/share/classes/sun/nio/ch/Net.java 2011-05-24 16:56:10.119490127 +0100 @@ -30,6 +30,15 @@ import java.net.*; import java.nio.channels.*; @@ -1875,8 +1876,8 @@ + } diff -Nru openjdk.orig/jdk/src/share/classes/sun/nio/ch/SelectorProviderImpl.java openjdk/jdk/src/share/classes/sun/nio/ch/SelectorProviderImpl.java ---- openjdk.orig/jdk/src/share/classes/sun/nio/ch/SelectorProviderImpl.java 2009-10-14 18:17:42.000000000 +0100 -+++ openjdk/jdk/src/share/classes/sun/nio/ch/SelectorProviderImpl.java 2011-02-09 18:08:16.682865972 +0000 +--- openjdk.orig/jdk/src/share/classes/sun/nio/ch/SelectorProviderImpl.java 2010-02-17 03:14:34.000000000 +0000 ++++ openjdk/jdk/src/share/classes/sun/nio/ch/SelectorProviderImpl.java 2011-05-24 16:56:10.119490127 +0100 @@ -1,5 +1,5 @@ /* - * Copyright 2000-2001 Sun Microsystems, Inc. All Rights Reserved. @@ -1923,8 +1924,8 @@ - } diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/util/SecurityConstants.java openjdk/jdk/src/share/classes/sun/security/util/SecurityConstants.java ---- openjdk.orig/jdk/src/share/classes/sun/security/util/SecurityConstants.java 2009-10-14 18:17:47.000000000 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/util/SecurityConstants.java 2011-02-09 18:08:16.682865972 +0000 +--- openjdk.orig/jdk/src/share/classes/sun/security/util/SecurityConstants.java 2010-02-17 03:14:39.000000000 +0000 ++++ openjdk/jdk/src/share/classes/sun/security/util/SecurityConstants.java 2011-05-24 16:56:10.119490127 +0100 @@ -52,6 +52,7 @@ public static final String FILE_EXECUTE_ACTION = "execute"; public static final String FILE_READ_ACTION = "read"; @@ -1934,8 +1935,8 @@ public static final String SOCKET_RESOLVE_ACTION = "resolve"; public static final String SOCKET_CONNECT_ACTION = "connect"; diff -Nru openjdk.orig/jdk/src/solaris/classes/sun/nio/ch/FileDispatcher.java openjdk/jdk/src/solaris/classes/sun/nio/ch/FileDispatcher.java ---- openjdk.orig/jdk/src/solaris/classes/sun/nio/ch/FileDispatcher.java 2009-10-14 18:17:57.000000000 +0100 -+++ openjdk/jdk/src/solaris/classes/sun/nio/ch/FileDispatcher.java 2011-02-09 18:08:16.682865972 +0000 +--- openjdk.orig/jdk/src/solaris/classes/sun/nio/ch/FileDispatcher.java 2010-02-17 03:14:46.000000000 +0000 ++++ openjdk/jdk/src/solaris/classes/sun/nio/ch/FileDispatcher.java 2011-05-24 16:56:10.119490127 +0100 @@ -35,6 +35,11 @@ class FileDispatcher extends NativeDispatcher { @@ -1997,8 +1998,8 @@ + } diff -Nru openjdk.orig/jdk/src/solaris/classes/sun/nio/ch/InheritedChannel.java openjdk/jdk/src/solaris/classes/sun/nio/ch/InheritedChannel.java ---- openjdk.orig/jdk/src/solaris/classes/sun/nio/ch/InheritedChannel.java 2009-10-14 18:17:57.000000000 +0100 -+++ openjdk/jdk/src/solaris/classes/sun/nio/ch/InheritedChannel.java 2011-02-09 18:08:16.682865972 +0000 +--- openjdk.orig/jdk/src/solaris/classes/sun/nio/ch/InheritedChannel.java 2010-02-17 03:14:46.000000000 +0000 ++++ openjdk/jdk/src/solaris/classes/sun/nio/ch/InheritedChannel.java 2011-05-24 16:56:10.119490127 +0100 @@ -34,7 +34,8 @@ import java.nio.channels.SocketChannel; import java.nio.channels.ServerSocketChannel; @@ -2010,8 +2011,8 @@ class InheritedChannel { diff -Nru openjdk.orig/jdk/src/solaris/native/sun/nio/ch/Net.c openjdk/jdk/src/solaris/native/sun/nio/ch/Net.c ---- openjdk.orig/jdk/src/solaris/native/sun/nio/ch/Net.c 2009-10-14 18:17:59.000000000 +0100 -+++ openjdk/jdk/src/solaris/native/sun/nio/ch/Net.c 2011-02-09 18:08:16.682865972 +0000 +--- openjdk.orig/jdk/src/solaris/native/sun/nio/ch/Net.c 2010-02-17 03:14:48.000000000 +0000 ++++ openjdk/jdk/src/solaris/native/sun/nio/ch/Net.c 2011-05-24 16:56:10.123490196 +0100 @@ -1,5 +1,5 @@ /* - * Copyright 2001-2007 Sun Microsystems, Inc. All Rights Reserved. @@ -2694,8 +2695,8 @@ /* Declared in nio_util.h */ diff -Nru openjdk.orig/jdk/src/solaris/native/sun/nio/ch/nio_util.h openjdk/jdk/src/solaris/native/sun/nio/ch/nio_util.h ---- openjdk.orig/jdk/src/solaris/native/sun/nio/ch/nio_util.h 2009-10-14 18:17:59.000000000 +0100 -+++ openjdk/jdk/src/solaris/native/sun/nio/ch/nio_util.h 2011-02-09 18:08:16.682865972 +0000 +--- openjdk.orig/jdk/src/solaris/native/sun/nio/ch/nio_util.h 2010-02-17 03:14:48.000000000 +0000 ++++ openjdk/jdk/src/solaris/native/sun/nio/ch/nio_util.h 2011-05-24 16:56:10.123490196 +0100 @@ -1,5 +1,5 @@ /* - * Copyright 2001-2002 Sun Microsystems, Inc. All Rights Reserved. @@ -2720,8 +2721,8 @@ /* NIO utility procedures */ diff -Nru openjdk.orig/jdk/src/windows/classes/sun/nio/ch/FileDispatcher.java openjdk/jdk/src/windows/classes/sun/nio/ch/FileDispatcher.java ---- openjdk.orig/jdk/src/windows/classes/sun/nio/ch/FileDispatcher.java 2009-10-14 18:18:00.000000000 +0100 -+++ openjdk/jdk/src/windows/classes/sun/nio/ch/FileDispatcher.java 2011-02-09 18:08:16.682865972 +0000 +--- openjdk.orig/jdk/src/windows/classes/sun/nio/ch/FileDispatcher.java 2010-02-17 03:14:49.000000000 +0000 ++++ openjdk/jdk/src/windows/classes/sun/nio/ch/FileDispatcher.java 2011-05-24 16:56:10.123490196 +0100 @@ -36,6 +36,11 @@ class FileDispatcher extends NativeDispatcher {
--- a/patches/icedtea-xjc.patch Fri Apr 15 15:21:25 2011 +0200 +++ b/patches/icedtea-xjc.patch Tue May 24 23:28:49 2011 +0100 @@ -1,19 +1,18 @@ diff -Nru openjdk.orig/jaxws/build.properties openjdk/jaxws/build.properties ---- openjdk.orig/jaxws/build.properties 2009-12-04 16:41:02.000000000 +0000 -+++ openjdk/jaxws/build.properties 2009-12-04 16:41:47.000000000 +0000 -@@ -73,6 +73,9 @@ - # Where patches to drop bundle sources live +--- openjdk.orig/jaxws/build.properties 2011-05-23 23:27:25.858844463 +0100 ++++ openjdk/jaxws/build.properties 2011-05-23 23:28:12.143588051 +0100 +@@ -78,7 +78,7 @@ patches.dir=patches -+# Patches to apply -+jaxws_src.patch.list=xjc.patch -+ + # Patches to apply +-jaxws_src.patch.list=7013971.patch ++jaxws_src.patch.list=7013971.patch xjc.patch + # Sanity information sanity.info= Sanity Settings:${line.separator}\ - ant.home=${ant.home}${line.separator}\ diff -Nru openjdk.orig/jaxws/patches/jaxws_src/xjc.patch openjdk/jaxws/patches/jaxws_src/xjc.patch --- openjdk.orig/jaxws/patches/jaxws_src/xjc.patch 1970-01-01 01:00:00.000000000 +0100 -+++ openjdk/jaxws/patches/jaxws_src/xjc.patch 2009-12-04 16:40:10.000000000 +0000 ++++ openjdk/jaxws/patches/jaxws_src/xjc.patch 2011-05-23 23:28:02.719436649 +0100 @@ -0,0 +1,17 @@ +--- src/com/sun/tools/internal/xjc/reader/xmlschema/parser/SchemaConstraintChecker.java.prev 2008-10-21 15:50:20.000000000 +0100 ++++ src/com/sun/tools/internal/xjc/reader/xmlschema/parser/SchemaConstraintChecker.java 2008-10-21 15:57:37.000000000 +0100
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/security/20110607/6213702.patch Tue May 24 23:28:49 2011 +0100 @@ -0,0 +1,85 @@ +diff -Nru openjdk.orig/jdk/src/windows/classes/sun/nio/ch/WindowsSelectorImpl.java openjdk/jdk/src/windows/classes/sun/nio/ch/WindowsSelectorImpl.java +--- openjdk.orig/jdk/src/windows/classes/sun/nio/ch/WindowsSelectorImpl.java 2010-02-17 03:14:49.000000000 +0000 ++++ openjdk/jdk/src/windows/classes/sun/nio/ch/WindowsSelectorImpl.java 2011-05-24 16:36:14.987888272 +0100 +@@ -308,14 +308,17 @@ + private int processSelectedKeys(long updateCount) { + int numKeysUpdated = 0; + numKeysUpdated += processFDSet(updateCount, readFds, +- PollArrayWrapper.POLLIN); ++ PollArrayWrapper.POLLIN, ++ false); + numKeysUpdated += processFDSet(updateCount, writeFds, + PollArrayWrapper.POLLCONN | +- PollArrayWrapper.POLLOUT); ++ PollArrayWrapper.POLLOUT, ++ false); + numKeysUpdated += processFDSet(updateCount, exceptFds, + PollArrayWrapper.POLLIN | + PollArrayWrapper.POLLCONN | +- PollArrayWrapper.POLLOUT); ++ PollArrayWrapper.POLLOUT, ++ true); + return numKeysUpdated; + } + +@@ -327,7 +330,8 @@ + * + * me.updateCount <= me.clearedCount <= updateCount + */ +- private int processFDSet(long updateCount, int[] fds, int rOps) { ++ private int processFDSet(long updateCount, int[] fds, int rOps, ++ boolean isExceptFds) { + int numKeysUpdated = 0; + for (int i = 1; i <= fds[0]; i++) { + int desc = fds[i]; +@@ -343,6 +347,17 @@ + if (me == null) + continue; + SelectionKeyImpl sk = me.ski; ++ ++ // The descriptor may be in the exceptfds set because there is ++ // OOB data queued to the socket. If there is OOB data then it ++ // is discarded and the key is not added to the selected set. ++ if (isExceptFds && ++ (sk.channel() instanceof SocketChannelImpl) && ++ discardUrgentData(desc)) ++ { ++ continue; ++ } ++ + if (selectedKeys.contains(sk)) { // Key in selected set + if (me.clearedCount != updateCount) { + if (sk.channel.translateAndSetReadyOps(rOps, sk) && +@@ -449,6 +464,8 @@ + + private native void resetWakeupSocket0(int wakeupSourceFd); + ++ private native boolean discardUrgentData(int fd); ++ + // We increment this counter on each call to updateSelectedKeys() + // each entry in SubSelector.fdsMap has a memorized value of + // updateCount. When we increment numKeysUpdated we set updateCount +diff -Nru openjdk.orig/jdk/src/windows/native/sun/nio/ch/WindowsSelectorImpl.c openjdk/jdk/src/windows/native/sun/nio/ch/WindowsSelectorImpl.c +--- openjdk.orig/jdk/src/windows/native/sun/nio/ch/WindowsSelectorImpl.c 2010-02-17 03:14:49.000000000 +0000 ++++ openjdk/jdk/src/windows/native/sun/nio/ch/WindowsSelectorImpl.c 2011-05-24 16:36:14.987888272 +0100 +@@ -211,3 +211,20 @@ + recv(scinFd, bytes, WAKEUP_SOCKET_BUF_SIZE, 0); + } + } ++ ++JNIEXPORT jboolean JNICALL ++Java_sun_nio_ch_WindowsSelectorImpl_discardUrgentData(JNIEnv* env, jobject this, ++ jint s) ++{ ++ char data[8]; ++ jboolean discarded = JNI_FALSE; ++ int n; ++ do { ++ n = recv(s, data, sizeof(data), MSG_OOB); ++ if (n > 0) { ++ discarded = JNI_TRUE; ++ } ++ } while (n > 0); ++ return discarded; ++} ++
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/security/20110607/6618658.patch Tue May 24 23:28:49 2011 +0100 @@ -0,0 +1,18 @@ +--- openjdk/jdk/src/share/classes/java/security/SignedObject.java 2011-02-09 16:33:11.000000000 +0800 ++++ openjdk/jdk/src/share/classes/java/security/SignedObject.java 2011-02-09 16:33:10.000000000 +0800 +@@ -249,10 +249,10 @@ + * a stream. + */ + private void readObject(java.io.ObjectInputStream s) +- throws java.io.IOException, ClassNotFoundException +- { +- s.defaultReadObject(); +- content = content.clone(); +- signature = signature.clone(); ++ throws java.io.IOException, ClassNotFoundException { ++ java.io.ObjectInputStream.GetField fields = s.readFields(); ++ content = ((byte[])fields.get("content", null)).clone(); ++ signature = ((byte[])fields.get("signature", null)).clone(); ++ thealgorithm = (String)fields.get("thealgorithm", null); + } + }
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/security/20110607/7012520.patch Tue May 24 23:28:49 2011 +0100 @@ -0,0 +1,25 @@ +# HG changeset patch +# User dcherepanov +# Date 1301921550 -14400 +# Node ID 049b0098d27c509fd57843ab4ea7aa5fa5fc84bd +# Parent dc0eabbd9955ebe6a40aa931d6f3333e1f50a1b2 +7012520: Heap overflow vulnerability in FileDialog.show() +Reviewed-by: art, anthony + +diff --git a/src/windows/native/sun/windows/awt_FileDialog.cpp b/src/windows/native/sun/windows/awt_FileDialog.cpp +--- openjdk/jdk/src/windows/native/sun/windows/awt_FileDialog.cpp ++++ openjdk/jdk/src/windows/native/sun/windows/awt_FileDialog.cpp +@@ -231,11 +231,12 @@ AwtFileDialog::Show(void *p) + JavaStringBuffer directoryBuffer(env, directory); + + fileBuffer = new TCHAR[MAX_PATH+1]; ++ memset(fileBuffer, 0, (MAX_PATH+1) * sizeof(TCHAR)); + + file = (jstring)env->GetObjectField(target, AwtFileDialog::fileID); + if (file != NULL) { + LPCTSTR tmp = JNU_GetStringPlatformChars(env, file, NULL); +- _tcscpy(fileBuffer, tmp); ++ _tcsncpy(fileBuffer, tmp, MAX_PATH-1); // the fileBuffer is double null terminated string + JNU_ReleaseStringPlatformChars(env, file, tmp); + } else { + fileBuffer[0] = _T('\0');
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/security/20110607/7013519.patch Tue May 24 23:28:49 2011 +0100 @@ -0,0 +1,50 @@ +# HG changeset patch +# User bae +# Date 1301414029 -14400 +# Node ID dc0eabbd9955ebe6a40aa931d6f3333e1f50a1b2 +# Parent bfc1a4516e20e13c84b6597d7bfcbd2fbc3e0c4d +7013519: [parfait] Integer overflows in 2D code +Reviewed-by: prr + +diff --git a/src/share/native/sun/awt/image/jpeg/imageioJPEG.c b/src/share/native/sun/awt/image/jpeg/imageioJPEG.c +--- openjdk/jdk/src/share/native/sun/awt/image/jpeg/imageioJPEG.c ++++ openjdk/jdk/src/share/native/sun/awt/image/jpeg/imageioJPEG.c +@@ -40,6 +40,7 @@ + #include <setjmp.h> + #include <assert.h> + #include <string.h> ++#include <limits.h> + + + /* java native interface headers */ +@@ -1921,6 +1922,14 @@ Java_com_sun_imageio_plugins_jpeg_JPEGIm + } + + // Allocate a 1-scanline buffer ++ if (cinfo->num_components <= 0 || ++ cinfo->image_width > (UINT_MAX / (unsigned int)cinfo->num_components)) ++ { ++ RELEASE_ARRAYS(env, data, src->next_input_byte); ++ JNU_ThrowByName(env, "javax/imageio/IIOException", ++ "Invalid number of color components"); ++ return data->abortFlag; ++ } + scanLinePtr = (JSAMPROW)malloc(cinfo->image_width*cinfo->num_components); + if (scanLinePtr == NULL) { + RELEASE_ARRAYS(env, data, src->next_input_byte); +diff --git a/src/share/native/sun/font/layout/SunLayoutEngine.cpp b/src/share/native/sun/font/layout/SunLayoutEngine.cpp +--- openjdk/jdk/src/share/native/sun/font/layout/SunLayoutEngine.cpp ++++ openjdk/jdk/src/share/native/sun/font/layout/SunLayoutEngine.cpp +@@ -186,7 +186,11 @@ JNIEXPORT void JNICALL Java_sun_font_Sun + jchar buffer[256]; + jchar* chars = buffer; + if (len > 256) { +- chars = (jchar*)malloc(len * sizeof(jchar)); ++ size_t size = len * sizeof(jchar); ++ if (size / sizeof(jchar) != len) { ++ return; ++ } ++ chars = (jchar*)malloc(size); + if (chars == 0) { + return; + }
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/security/20110607/7013969.patch Tue May 24 23:28:49 2011 +0100 @@ -0,0 +1,26 @@ +# HG changeset patch +# User chegar +# Date 1298025619 0 +# Node ID 4c569f18b5a1f4eeb7e13fafba7375e39a5b9161 +# Parent 05a59c28ae9fcb8f7c3362a4e1eeeaa1818edbdc +7013969: NetworkInterface.toString can reveal bindings +Reviewed-by: alanb, michaelm, hawtin + +diff --git a/src/share/classes/java/net/NetworkInterface.java b/src/share/classes/java/net/NetworkInterface.java +--- openjdk/jdk/src/share/classes/java/net/NetworkInterface.java ++++ openjdk/jdk/src/share/classes/java/net/NetworkInterface.java +@@ -527,13 +527,8 @@ public final class NetworkInterface { + if (displayName != null) { + result += " (" + displayName + ")"; + } +- result += " index: "+index+" addresses:\n"; +- for (Enumeration e = getInetAddresses(); e.hasMoreElements(); ) { +- InetAddress addr = (InetAddress)e.nextElement(); +- result += addr+";\n"; +- } + return result; + } ++ + private static native void init(); +- + }
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/security/20110607/7013971.patch Tue May 24 23:28:49 2011 +0100 @@ -0,0 +1,134 @@ +diff -Nru openjdk.orig/jaxws/build.properties openjdk/jaxws/build.properties +--- openjdk.orig/jaxws/build.properties 2011-05-23 22:48:31.989289627 +0100 ++++ openjdk/jaxws/build.properties 2011-05-23 22:49:09.841901697 +0100 +@@ -77,6 +77,9 @@ + # Where patches to drop bundle sources live + patches.dir=patches + ++# Patches to apply ++jaxws_src.patch.list=7013971.patch ++ + # Sanity information + sanity.info= Sanity Settings:${line.separator}\ + ant.home=${ant.home}${line.separator}\ +diff -Nru openjdk.orig/jaxws/patches/jaxws_src/7013971.patch openjdk/jaxws/patches/jaxws_src/7013971.patch +--- openjdk.orig/jaxws/patches/jaxws_src/7013971.patch 1970-01-01 01:00:00.000000000 +0100 ++++ openjdk/jaxws/patches/jaxws_src/7013971.patch 2011-05-23 22:50:07.414832540 +0100 +@@ -0,0 +1,117 @@ ++--- src/com/sun/xml/internal/messaging/saaj/client/p2p/HttpSOAPConnection.java Tue Jul 21 14:54:59 2009 -0700 +++++ src/com/sun/xml/internal/messaging/saaj/client/p2p/HttpSOAPConnection.java Mon Feb 14 09:09:00 2011 +0530 ++@@ -72,16 +72,11 @@ public class HttpSOAPConnection extends ++ Logger.getLogger(LogDomainConstants.HTTP_CONN_DOMAIN, ++ "com.sun.xml.internal.messaging.saaj.client.p2p.LocalStrings"); ++ ++- private static final String defaultProxyHost = null; ++- private static final int defaultProxyPort = -1; ++- ++ MessageFactory messageFactory = null; ++ ++ boolean closed = false; ++ ++ public HttpSOAPConnection() throws SOAPException { ++- proxyHost = defaultProxyHost; ++- proxyPort = defaultProxyPort; ++ ++ try { ++ messageFactory = MessageFactory.newInstance(SOAPConstants.DYNAMIC_SOAP_PROTOCOL); ++@@ -157,11 +152,7 @@ public class HttpSOAPConnection extends ++ ++ if (endPoint instanceof URL) ++ try { ++- PriviledgedPost pp = ++- new PriviledgedPost(this, message, (URL) endPoint); ++- SOAPMessage response = ++- (SOAPMessage) AccessController.doPrivileged(pp); ++- +++ SOAPMessage response = post(message, (URL) endPoint); ++ return response; ++ } catch (Exception ex) { ++ // TBD -- chaining? ++@@ -170,73 +161,6 @@ public class HttpSOAPConnection extends ++ log.severe("SAAJ0007.p2p.bad.endPoint.type"); ++ throw new SOAPExceptionImpl("Bad endPoint type " + endPoint); ++ } ++- } ++- ++- static class PriviledgedPost implements PrivilegedExceptionAction { ++- ++- HttpSOAPConnection c; ++- SOAPMessage message; ++- URL endPoint; ++- ++- PriviledgedPost( ++- HttpSOAPConnection c, ++- SOAPMessage message, ++- URL endPoint) { ++- this.c = c; ++- this.message = message; ++- this.endPoint = endPoint; ++- } ++- ++- public Object run() throws Exception { ++- return c.post(message, endPoint); ++- } ++- } ++- ++- // TBD ++- // Fix this to do things better. ++- ++- private String proxyHost = null; ++- ++- static class PriviledgedSetProxyAction implements PrivilegedExceptionAction { ++- ++- String proxyHost = null; ++- int proxyPort = 0; ++- ++- PriviledgedSetProxyAction(String host, int port) { ++- this.proxyHost = host; ++- this.proxyPort = port; ++- } ++- ++- public Object run() throws Exception { ++- System.setProperty("http.proxyHost", proxyHost); ++- System.setProperty("http.proxyPort", new Integer(proxyPort).toString()); ++- log.log(Level.FINE, "SAAJ0050.p2p.proxy.host", ++- new String[] { proxyHost }); ++- log.log(Level.FINE, "SAAJ0051.p2p.proxy.port", ++- new String[] { new Integer(proxyPort).toString() }); ++- return proxyHost; ++- } ++- } ++- ++- ++- public void setProxy(String host, int port) { ++- try { ++- proxyPort = port; ++- PriviledgedSetProxyAction ps = new PriviledgedSetProxyAction(host, port); ++- proxyHost = (String) AccessController.doPrivileged(ps); ++- } catch (Exception e) { ++- throw new RuntimeException(e); ++- } ++- } ++- ++- public String getProxyHost() { ++- return proxyHost; ++- } ++- ++- private int proxyPort = -1; ++- ++- public int getProxyPort() { ++- return proxyPort; ++ } ++ ++ SOAPMessage post(SOAPMessage message, URL endPoint) throws SOAPException { ++--- src/com/sun/xml/internal/messaging/saaj/client/p2p/HttpSOAPConnection.java Mon Feb 14 09:09:00 2011 +0530 +++++ src/com/sun/xml/internal/messaging/saaj/client/p2p/HttpSOAPConnection.java Wed Feb 16 00:11:00 2011 +0530 ++@@ -201,7 +201,7 @@ public class HttpSOAPConnection extends ++ httpConnection.setDoOutput(true); ++ httpConnection.setDoInput(true); ++ httpConnection.setUseCaches(false); ++- HttpURLConnection.setFollowRedirects(true); +++ httpConnection.setInstanceFollowRedirects(true); ++ ++ if (message.saveRequired()) ++ message.saveChanges();
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/security/20110607/7016495.patch Tue May 24 23:28:49 2011 +0100 @@ -0,0 +1,424 @@ +# HG changeset patch +# User flar +# Date 1299032055 28800 +# Node ID 50636a6053f85b1355152385560c5856ea14dc3f +# Parent 4c569f18b5a1f4eeb7e13fafba7375e39a5b9161 +7016495: Crash in Java 2D transforming an image with scale close to zero +Reviewed-by: prr, bae + +diff --git a/src/share/classes/sun/java2d/pipe/DrawImage.java b/src/share/classes/sun/java2d/pipe/DrawImage.java +--- openjdk/jdk/src/share/classes/sun/java2d/pipe/DrawImage.java ++++ openjdk/jdk/src/share/classes/sun/java2d/pipe/DrawImage.java +@@ -509,6 +509,9 @@ public class DrawImage implements DrawIm + * edges thus has to be h*2+2 in length + */ + int edges[] = new int[(dy2-dy1)*2+2]; ++ // It is important that edges[0]=edges[1]=0 when we call ++ // Transform in case it must return early and we would ++ // not want to render anything on an error condition. + helper.Transform(tmpmaskblit, srcData, tmpData, + AlphaComposite.Src, null, + itx, interpType, +diff --git a/src/share/native/sun/java2d/loops/TransformHelper.c b/src/share/native/sun/java2d/loops/TransformHelper.c +--- openjdk/jdk/src/share/native/sun/java2d/loops/TransformHelper.c ++++ openjdk/jdk/src/share/native/sun/java2d/loops/TransformHelper.c +@@ -75,6 +75,94 @@ TransformInterpFunc *pBicubicFunc = Bicu + TransformInterpFunc *pBicubicFunc = BicubicInterp; + + /* ++ * The dxydxy parameters of the inverse transform determine how ++ * quickly we step through the source image. For tiny scale ++ * factors (on the order of 1E-16 or so) the stepping distances ++ * are huge. The image has been scaled so small that stepping ++ * a single pixel in device space moves the sampling point by ++ * billions (or more) pixels in the source image space. These ++ * huge stepping values can overflow the whole part of the longs ++ * we use for the fixed point stepping equations and so we need ++ * a more robust solution. We could simply iterate over every ++ * device pixel, use the inverse transform to transform it back ++ * into the source image coordinate system and then test it for ++ * being in range and sample pixel-by-pixel, but that is quite ++ * a bit more expensive. Fortunately, if the scale factors are ++ * so tiny that we overflow our long values then the number of ++ * pixels we are planning to visit should be very tiny. The only ++ * exception to that rule is if the scale factor along one ++ * dimension is tiny (creating the huge stepping values), and ++ * the scale factor along the other dimension is fairly regular ++ * or an up-scale. In that case we have a lot of pixels along ++ * the direction of the larger axis to sample, but few along the ++ * smaller axis. Though, pessimally, with an added shear factor ++ * such a linearly tiny image could have bounds that cover a large ++ * number of pixels. Such odd transformations should be very ++ * rare and the absolute limit on calculations would involve a ++ * single reverse transform of every pixel in the output image ++ * which is not fast, but it should not cause an undue stall ++ * of the rendering software. ++ * ++ * The specific test we will use is to calculate the inverse ++ * transformed values of every corner of the destination bounds ++ * (in order to be user-clip independent) and if we can ++ * perform a fixed-point-long inverse transform of all of ++ * those points without overflowing we will use the fast ++ * fixed point algorithm. Otherwise we will use the safe ++ * per-pixel transform algorithm. ++ * The 4 corners are 0,0, 0,dsth, dstw,0, dstw,dsth ++ * Transformed they are: ++ * tx, ty ++ * tx +dxdy*H, ty +dydy*H ++ * tx+dxdx*W, ty+dydx*W ++ * tx+dxdx*W+dxdy*H, ty+dydx*W+dydy*H ++ */ ++/* We reject coordinates not less than 1<<30 so that the distance between */ ++/* any 2 of them is less than 1<<31 which would overflow into the sign */ ++/* bit of a signed long value used to represent fixed point coordinates. */ ++#define TX_FIXED_UNSAFE(v) (fabs(v) >= (1<<30)) ++static jboolean ++checkOverflow(jint dxoff, jint dyoff, ++ SurfaceDataBounds *pBounds, ++ TransformInfo *pItxInfo, ++ jdouble *retx, jdouble *rety) ++{ ++ jdouble x, y; ++ ++ x = dxoff+pBounds->x1+0.5; /* Center of pixel x1 */ ++ y = dyoff+pBounds->y1+0.5; /* Center of pixel y1 */ ++ Transform_transform(pItxInfo, &x, &y); ++ *retx = x; ++ *rety = y; ++ if (TX_FIXED_UNSAFE(x) || TX_FIXED_UNSAFE(y)) { ++ return JNI_TRUE; ++ } ++ ++ x = dxoff+pBounds->x2-0.5; /* Center of pixel x2-1 */ ++ y = dyoff+pBounds->y1+0.5; /* Center of pixel y1 */ ++ Transform_transform(pItxInfo, &x, &y); ++ if (TX_FIXED_UNSAFE(x) || TX_FIXED_UNSAFE(y)) { ++ return JNI_TRUE; ++ } ++ ++ x = dxoff+pBounds->x1+0.5; /* Center of pixel x1 */ ++ y = dyoff+pBounds->y2-0.5; /* Center of pixel y2-1 */ ++ Transform_transform(pItxInfo, &x, &y); ++ if (TX_FIXED_UNSAFE(x) || TX_FIXED_UNSAFE(y)) { ++ return JNI_TRUE; ++ } ++ ++ x = dxoff+pBounds->x2-0.5; /* Center of pixel x2-1 */ ++ y = dyoff+pBounds->y2-0.5; /* Center of pixel y2-1 */ ++ Transform_transform(pItxInfo, &x, &y); ++ if (TX_FIXED_UNSAFE(x) || TX_FIXED_UNSAFE(y)) { ++ return JNI_TRUE; ++ } ++ ++ return JNI_FALSE; ++} ++ ++/* + * Fill the edge buffer with pairs of coordinates representing the maximum + * left and right pixels of the destination surface that should be processed + * on each scanline, clipped to the bounds parameter. +@@ -82,21 +170,19 @@ TransformInterpFunc *pBicubicFunc = Bicu + * Only pixels that map back through the specified (inverse) transform to a + * source coordinate that falls within the (0, 0, sw, sh) bounds of the + * source image should be processed. +- * pEdgeBuf points to an array of jints that holds MAXEDGES*2 values. +- * If more storage is needed, then this function allocates a new buffer. +- * In either case, a pointer to the buffer actually used to store the +- * results is returned. +- * The caller is responsible for freeing the buffer if the return value +- * is not the same as the original pEdgeBuf passed in. ++ * pEdges points to an array of jints that holds 2 + numedges*2 values where ++ * numedges should match (pBounds->y2 - pBounds->y1). ++ * The first two jints in pEdges should be set to y1 and y2 and every pair ++ * of jints after that represent the xmin,xmax of all pixels in range of ++ * the transformed blit for the corresponding scanline. + */ +-static jint * +-calculateEdges(jint *pEdgeBuf, ++static void ++calculateEdges(jint *pEdges, + SurfaceDataBounds *pBounds, + TransformInfo *pItxInfo, + jlong xbase, jlong ybase, + juint sw, juint sh) + { +- jint *pEdges; + jlong dxdxlong, dydxlong; + jlong dxdylong, dydylong; + jlong drowxlong, drowylong; +@@ -111,10 +197,8 @@ calculateEdges(jint *pEdgeBuf, + dy1 = pBounds->y1; + dx2 = pBounds->x2; + dy2 = pBounds->y2; +- if ((dy2-dy1) > MAXEDGES) { +- pEdgeBuf = malloc(2 * (dy2-dy1) * sizeof (*pEdges)); +- } +- pEdges = pEdgeBuf; ++ *pEdges++ = dy1; ++ *pEdges++ = dy2; + + drowxlong = (dx2-dx1-1) * dxdxlong; + drowylong = (dx2-dx1-1) * dydxlong; +@@ -155,9 +239,21 @@ calculateEdges(jint *pEdgeBuf, + ybase += dydylong; + dy1++; + } ++} + +- return pEdgeBuf; +-} ++static void ++Transform_SafeHelper(JNIEnv *env, ++ SurfaceDataOps *srcOps, ++ SurfaceDataOps *dstOps, ++ SurfaceDataRasInfo *pSrcInfo, ++ SurfaceDataRasInfo *pDstInfo, ++ NativePrimitive *pMaskBlitPrim, ++ CompositeInfo *pCompInfo, ++ TransformHelperFunc *pHelperFunc, ++ TransformInterpFunc *pInterpFunc, ++ RegionData *pClipInfo, TransformInfo *pItxInfo, ++ jint *pData, jint *pEdges, ++ jint dxoff, jint dyoff, jint sw, jint sh); + + /* + * Class: sun_java2d_loops_TransformHelper +@@ -187,12 +283,14 @@ Java_sun_java2d_loops_TransformHelper_Tr + jint maxlinepix; + TransformHelperFunc *pHelperFunc; + TransformInterpFunc *pInterpFunc; +- jint edgebuf[MAXEDGES * 2]; ++ jdouble xorig, yorig; ++ jint numedges; + jint *pEdges; +- jdouble x, y; +- jlong xbase, ybase; +- jlong dxdxlong, dydxlong; +- jlong dxdylong, dydylong; ++ jint edgebuf[2 + MAXEDGES * 2]; ++ union { ++ jlong align; ++ jint data[LINE_SIZE]; ++ } rgb; + + #ifdef MAKE_STUBS + static int th_initialized; +@@ -269,39 +367,62 @@ Java_sun_java2d_loops_TransformHelper_Tr + if (srcOps->Lock(env, srcOps, &srcInfo, pHelperPrim->srcflags) + != SD_SUCCESS) + { ++ /* edgeArray should already contain zeros for min/maxy */ + return; + } + if (dstOps->Lock(env, dstOps, &dstInfo, pMaskBlitPrim->dstflags) + != SD_SUCCESS) + { + SurfaceData_InvokeUnlock(env, srcOps, &srcInfo); ++ /* edgeArray should already contain zeros for min/maxy */ + return; + } + Region_IntersectBounds(&clipInfo, &dstInfo.bounds); + ++ numedges = (dstInfo.bounds.y2 - dstInfo.bounds.y1); ++ if (numedges > MAXEDGES) { ++ pEdges = malloc((2 + 2 * numedges) * sizeof (*pEdges)); ++ if (pEdges == NULL) { ++ SurfaceData_InvokeUnlock(env, dstOps, &dstInfo); ++ SurfaceData_InvokeUnlock(env, srcOps, &srcInfo); ++ /* edgeArray should already contain zeros for min/maxy */ ++ return; ++ } ++ } else { ++ pEdges = edgebuf; ++ } ++ + Transform_GetInfo(env, itxform, &itxInfo); +- dxdxlong = DblToLong(itxInfo.dxdx); +- dydxlong = DblToLong(itxInfo.dydx); +- dxdylong = DblToLong(itxInfo.dxdy); +- dydylong = DblToLong(itxInfo.dydy); +- x = dxoff+dstInfo.bounds.x1+0.5; /* Center of pixel x1 */ +- y = dyoff+dstInfo.bounds.y1+0.5; /* Center of pixel y1 */ +- Transform_transform(&itxInfo, &x, &y); +- xbase = DblToLong(x); +- ybase = DblToLong(y); +- +- pEdges = calculateEdges(edgebuf, &dstInfo.bounds, &itxInfo, +- xbase, ybase, sx2-sx1, sy2-sy1); + + if (!Region_IsEmpty(&clipInfo)) { + srcOps->GetRasInfo(env, srcOps, &srcInfo); + dstOps->GetRasInfo(env, dstOps, &dstInfo); +- if (srcInfo.rasBase && dstInfo.rasBase) { +- union { +- jlong align; +- jint data[LINE_SIZE]; +- } rgb; ++ if (srcInfo.rasBase == NULL || dstInfo.rasBase == NULL) { ++ pEdges[0] = pEdges[1] = 0; ++ } else if (checkOverflow(dxoff, dyoff, &dstInfo.bounds, ++ &itxInfo, &xorig, &yorig)) ++ { ++ Transform_SafeHelper(env, srcOps, dstOps, ++ &srcInfo, &dstInfo, ++ pMaskBlitPrim, &compInfo, ++ pHelperFunc, pInterpFunc, ++ &clipInfo, &itxInfo, rgb.data, pEdges, ++ dxoff, dyoff, sx2-sx1, sy2-sy1); ++ } else { + SurfaceDataBounds span; ++ jlong dxdxlong, dydxlong; ++ jlong dxdylong, dydylong; ++ jlong xbase, ybase; ++ ++ dxdxlong = DblToLong(itxInfo.dxdx); ++ dydxlong = DblToLong(itxInfo.dydx); ++ dxdylong = DblToLong(itxInfo.dxdy); ++ dydylong = DblToLong(itxInfo.dydy); ++ xbase = DblToLong(xorig); ++ ybase = DblToLong(yorig); ++ ++ calculateEdges(pEdges, &dstInfo.bounds, &itxInfo, ++ xbase, ybase, sx2-sx1, sy2-sy1); + + Region_StartIteration(env, &clipInfo); + while (Region_NextIteration(&clipInfo, &span)) { +@@ -318,8 +439,8 @@ Java_sun_java2d_loops_TransformHelper_Tr + + /* Note - process at most one scanline at a time. */ + +- dx1 = pEdges[(dy1 - dstInfo.bounds.y1) * 2]; +- dx2 = pEdges[(dy1 - dstInfo.bounds.y1) * 2 + 1]; ++ dx1 = pEdges[(dy1 - dstInfo.bounds.y1) * 2 + 2]; ++ dx2 = pEdges[(dy1 - dstInfo.bounds.y1) * 2 + 3]; + if (dx1 < span.x1) dx1 = span.x1; + if (dx2 > span.x2) dx2 = span.x2; + +@@ -376,19 +497,122 @@ Java_sun_java2d_loops_TransformHelper_Tr + } + SurfaceData_InvokeRelease(env, dstOps, &dstInfo); + SurfaceData_InvokeRelease(env, srcOps, &srcInfo); ++ } else { ++ pEdges[0] = pEdges[1] = 0; + } + SurfaceData_InvokeUnlock(env, dstOps, &dstInfo); + SurfaceData_InvokeUnlock(env, srcOps, &srcInfo); + if (!JNU_IsNull(env, edgeArray)) { +- (*env)->SetIntArrayRegion(env, edgeArray, 0, 1, &dstInfo.bounds.y1); +- (*env)->SetIntArrayRegion(env, edgeArray, 1, 1, &dstInfo.bounds.y2); +- (*env)->SetIntArrayRegion(env, edgeArray, +- 2, (dstInfo.bounds.y2 - dstInfo.bounds.y1)*2, +- pEdges); ++ (*env)->SetIntArrayRegion(env, edgeArray, 0, 2+numedges*2, pEdges); + } + if (pEdges != edgebuf) { + free(pEdges); + } ++} ++ ++static void ++Transform_SafeHelper(JNIEnv *env, ++ SurfaceDataOps *srcOps, ++ SurfaceDataOps *dstOps, ++ SurfaceDataRasInfo *pSrcInfo, ++ SurfaceDataRasInfo *pDstInfo, ++ NativePrimitive *pMaskBlitPrim, ++ CompositeInfo *pCompInfo, ++ TransformHelperFunc *pHelperFunc, ++ TransformInterpFunc *pInterpFunc, ++ RegionData *pClipInfo, TransformInfo *pItxInfo, ++ jint *pData, jint *pEdges, ++ jint dxoff, jint dyoff, jint sw, jint sh) ++{ ++ SurfaceDataBounds span; ++ jint dx1, dx2; ++ jint dy1, dy2; ++ jint i, iy; ++ ++ dy1 = pDstInfo->bounds.y1; ++ dy2 = pDstInfo->bounds.y2; ++ dx1 = pDstInfo->bounds.x1; ++ dx2 = pDstInfo->bounds.x2; ++ pEdges[0] = dy1; ++ pEdges[1] = dy2; ++ for (iy = dy1; iy < dy2; iy++) { ++ jint i = (iy - dy1) * 2; ++ /* row spans are set to max,min until we find a pixel in range below */ ++ pEdges[i + 2] = dx2; ++ pEdges[i + 3] = dx1; ++ } ++ ++ Region_StartIteration(env, pClipInfo); ++ while (Region_NextIteration(pClipInfo, &span)) { ++ dy1 = span.y1; ++ dy2 = span.y2; ++ while (dy1 < dy2) { ++ dx1 = span.x1; ++ dx2 = span.x2; ++ i = (dy1 - pDstInfo->bounds.y1) * 2; ++ while (dx1 < dx2) { ++ jdouble x, y; ++ jlong xlong, ylong; ++ ++ x = dxoff + dx1 + 0.5; ++ y = dyoff + dy1 + 0.5; ++ Transform_transform(pItxInfo, &x, &y); ++ xlong = DblToLong(x); ++ ylong = DblToLong(y); ++ ++ /* Process only pixels with centers in bounds ++ * Test double values to avoid overflow in conversion ++ * to long values and then also test the long values ++ * in case they rounded up and out of bounds during ++ * the conversion. ++ */ ++ if (x >= 0 && y >= 0 && x < sw && y < sh && ++ WholeOfLong(xlong) < sw && ++ WholeOfLong(ylong) < sh) ++ { ++ void *pDst; ++ ++ if (pEdges[i + 2] > dx1) { ++ pEdges[i + 2] = dx1; ++ } ++ if (pEdges[i + 3] <= dx1) { ++ pEdges[i + 3] = dx1 + 1; ++ } ++ ++ /* Get IntArgbPre pixel data from source */ ++ (*pHelperFunc)(pSrcInfo, ++ pData, 1, ++ xlong, 0, ++ ylong, 0); ++ ++ /* Interpolate result pixels if needed */ ++ if (pInterpFunc) { ++ (*pInterpFunc)(pData, 1, ++ FractOfLong(xlong-LongOneHalf), 0, ++ FractOfLong(ylong-LongOneHalf), 0); ++ } ++ ++ /* Store/Composite interpolated pixels into dest */ ++ pDst = PtrCoord(pDstInfo->rasBase, ++ dx1, pDstInfo->pixelStride, ++ dy1, pDstInfo->scanStride); ++ (*pMaskBlitPrim->funcs.maskblit)(pDst, pData, ++ 0, 0, 0, ++ 1, 1, ++ pDstInfo, pSrcInfo, ++ pMaskBlitPrim, ++ pCompInfo); ++ } ++ ++ /* Increment to next input pixel */ ++ dx1++; ++ } ++ ++ /* Increment to next scanline */ ++ dy1++; ++ } ++ } ++ Region_EndIteration(env, pClipInfo); + } + + #define BL_INTERP_V1_to_V2_by_F(v1, v2, f) \
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/security/20110607/7020198.patch Tue May 24 23:28:49 2011 +0100 @@ -0,0 +1,139 @@ +# HG changeset patch +# User alexp +# Date 1305650123 -14400 +# Node ID 055d6c57c43057e076396142aae7b53272e8a5fa +# Parent bf0758eb099e803a6353e96dd02f085e970900d0 +7020198: ImageIcon creates Component with null acc +Reviewed-by: rupashka + +diff --git a/src/share/classes/javax/swing/ImageIcon.java b/src/share/classes/javax/swing/ImageIcon.java +--- openjdk/jdk/src/share/classes/javax/swing/ImageIcon.java ++++ openjdk/jdk/src/share/classes/javax/swing/ImageIcon.java +@@ -36,6 +36,9 @@ import java.util.Locale; + import java.util.Locale; + import javax.accessibility.*; + ++import sun.awt.AppContext; ++import java.lang.reflect.Field; ++import java.security.*; + + /** + * An implementation of the Icon interface that paints Icons +@@ -75,13 +78,59 @@ public class ImageIcon implements Icon, + ImageObserver imageObserver; + String description = null; + +- protected final static Component component = new Component() {}; +- protected final static MediaTracker tracker = new MediaTracker(component); ++ // Fields for twisted backward compatibility only. DO NOT USE. ++ protected final static Component component; ++ protected final static MediaTracker tracker; ++ ++ static { ++ component = AccessController.doPrivileged(new PrivilegedAction<Component>() { ++ public Component run() { ++ ++ try { ++ final Component component = createNoPermsComponent(); ++ ++ // 6482575 - clear the appContext field so as not to leak it ++ Field appContextField = ++ ++ Component.class.getDeclaredField("appContext"); ++ appContextField.setAccessible(true); ++ appContextField.set(component, null); ++ ++ return component; ++ } catch (Throwable e) { ++ // We don't care about component. ++ // So don't prevent class initialisation. ++ e.printStackTrace(); ++ ++ return null; ++ } ++ } ++ }); ++ tracker = new MediaTracker(component); ++ } ++ ++ private static Component createNoPermsComponent() { ++ // 7020198 - set acc field to no permissions and no subject ++ // Note, will have appContext set. ++ return AccessController.doPrivileged( ++ new PrivilegedAction<Component>() { ++ public Component run() { ++ return new Component() { ++ }; ++ } ++ }, ++ new AccessControlContext(new ProtectionDomain[]{ ++ new ProtectionDomain(null, null) ++ }) ++ ); ++ } + + /** + * Id used in loading images from MediaTracker. + */ + private static int mediaTrackerID; ++ ++ private final static Object TRACKER_KEY = new StringBuilder("TRACKER_KEY"); + + int width = -1; + int height = -1; +@@ -243,17 +292,18 @@ public class ImageIcon implements Icon, + * @param image the image + */ + protected void loadImage(Image image) { +- synchronized(tracker) { ++ MediaTracker mTracker = getTracker(); ++ synchronized(mTracker) { + int id = getNextID(); + +- tracker.addImage(image, id); ++ mTracker.addImage(image, id); + try { +- tracker.waitForID(id, 0); ++ mTracker.waitForID(id, 0); + } catch (InterruptedException e) { + System.out.println("INTERRUPTED while loading Image"); + } +- loadStatus = tracker.statusID(id, false); +- tracker.removeImage(image, id); ++ loadStatus = mTracker.statusID(id, false); ++ mTracker.removeImage(image, id); + + width = image.getWidth(imageObserver); + height = image.getHeight(imageObserver); +@@ -264,9 +314,30 @@ public class ImageIcon implements Icon, + * Returns an ID to use with the MediaTracker in loading an image. + */ + private int getNextID() { +- synchronized(tracker) { ++ synchronized(getTracker()) { + return ++mediaTrackerID; + } ++ } ++ ++ /** ++ * Returns the MediaTracker for the current AppContext, creating a new ++ * MediaTracker if necessary. ++ */ ++ private MediaTracker getTracker() { ++ Object trackerObj; ++ AppContext ac = AppContext.getAppContext(); ++ // Opt: Only synchronize if trackerObj comes back null? ++ // If null, synchronize, re-check for null, and put new tracker ++ synchronized (ac) { ++ trackerObj = ac.get(TRACKER_KEY); ++ if (trackerObj == null) { ++ Component comp = new Component() { ++ }; ++ trackerObj = new MediaTracker(comp); ++ ac.put(TRACKER_KEY, trackerObj); ++ } ++ } ++ return (MediaTracker) trackerObj; + } + + /**
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/security/20110607/7020373.patch Tue May 24 23:28:49 2011 +0100 @@ -0,0 +1,38 @@ +# HG changeset patch +# User kamg +# Date 1300992148 14400 +# Node ID f6b8cfca1b530e9f7fd9a0c95eeb239afdb53177 +# Parent 4863fa64ae5f5c96c36c68c5c2bb765e23a5d697 +7020373: JSR rewriting can overflow memory address size variables +Summary: Abort if incoming classfile's parameters would cause overflows +Reviewed-by: coleenp, dcubed, never + +diff --git a/src/share/vm/oops/generateOopMap.cpp b/src/share/vm/oops/generateOopMap.cpp +--- openjdk/hotspot/src/share/vm/oops/generateOopMap.cpp ++++ openjdk/hotspot/src/share/vm/oops/generateOopMap.cpp +@@ -956,10 +956,21 @@ void GenerateOopMap::init_basic_blocks() + // initialize the CellTypeState-related information. + init_state(); + +- // We allocate space for all state-vectors for all basicblocks in one huge chuck. +- // Then in the next part of the code, we set a pointer in each _basic_block that +- // points to each piece. +- CellTypeState *basicBlockState = NEW_RESOURCE_ARRAY(CellTypeState, bbNo * _state_len); ++ // We allocate space for all state-vectors for all basicblocks in one huge ++ // chunk. Then in the next part of the code, we set a pointer in each ++ // _basic_block that points to each piece. ++ ++ // The product of bbNo and _state_len can get large if there are lots of ++ // basic blocks and stack/locals/monitors. Need to check to make sure ++ // we don't overflow the capacity of a pointer. ++ if ((unsigned)bbNo > UINTPTR_MAX / sizeof(CellTypeState) / _state_len) { ++ report_error("The amount of memory required to analyze this method " ++ "exceeds addressable range"); ++ return; ++ } ++ ++ CellTypeState *basicBlockState = ++ NEW_RESOURCE_ARRAY(CellTypeState, bbNo * _state_len); + memset(basicBlockState, 0, bbNo * _state_len * sizeof(CellTypeState)); + + // Make a pass over the basicblocks and assign their state vectors.