Mercurial > hg > release > icedtea6-1.9
view patches/security/20111018/7023640.patch @ 2352:941103576384
Add first batch of security patches.
S7000600, CVE-2011-3547: InputStream skip() information leak
S7019773, CVE-2011-3548: mutable static AWTKeyStroke.ctor
S7023640, CVE-2011-3551: Java2D TransformHelper integer overflow
S7032417, CVE-2011-3552: excessive default UDP socket limit under SecurityManager
S7046823, CVE-2011-3544: missing SecurityManager checks in scripting engine
S7055902, CVE-2011-3521: IIOP deserialization code execution
S7057857, CVE-2011-3554: insufficient pack200 JAR files uncompress error checks
S7064341, CVE-2011-3389: JSSE
S7070134, CVE-2011-3558: Hotspot unspecified issue
S7077466, CVE-2011-3556: RMI DGC server remote code execution
S7083012, CVE-2011-3557: RMI registry privileged code execution
S7096936, CVE-2011-3560: missing checkSetFactory calls in HttpsURLConnection
2011-10-13 Andrew John Hughes <ahughes@redhat.com>
* Makefile.am: Add patches.
* NEWS: List security updates.
* patches/icedtea-rhino.patch: Change
after 7046823 is applied.
* patches/security/20111018/7000600.patch,
* patches/security/20111018/7019773.patch,
* patches/security/20111018/7023640.patch,
* patches/security/20111018/7032417.patch,
* patches/security/20111018/7046823.patch,
* patches/security/20111018/7055902.patch,
* patches/security/20111018/7057857.patch,
* patches/security/20111018/7064341.patch,
* patches/security/20111018/7070134.patch,
* patches/security/20111018/7083012.patch,
* patches/security/20111018/7096936.patch:
First batch of security patches.
author | Andrew John Hughes <ahughes@redhat.com> |
---|---|
date | Thu, 13 Oct 2011 15:04:46 +0100 |
parents | |
children |
line wrap: on
line source
# HG changeset patch # User asaha # Date 1311020591 25200 # Node ID 08848920eb33efabb049bc4cb2f40d37ab4f18f6 # Parent 1a1bf4ee2c24c3fc1f6e4071e23b4b562a654d0d 7023640: calculation for malloc size in TransformHelper.c could overflow an integer Reviewed-by: flar diff --git a/src/share/native/sun/java2d/loops/TransformHelper.c b/src/share/native/sun/java2d/loops/TransformHelper.c --- openjdk/jdk/src/share/native/sun/java2d/loops/TransformHelper.c +++ openjdk/jdk/src/share/native/sun/java2d/loops/TransformHelper.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2004, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -284,7 +284,7 @@ Java_sun_java2d_loops_TransformHelper_Tr TransformHelperFunc *pHelperFunc; TransformInterpFunc *pInterpFunc; jdouble xorig, yorig; - jint numedges; + jlong numedges; jint *pEdges; jint edgebuf[2 + MAXEDGES * 2]; union { @@ -379,17 +379,41 @@ Java_sun_java2d_loops_TransformHelper_Tr } Region_IntersectBounds(&clipInfo, &dstInfo.bounds); - numedges = (dstInfo.bounds.y2 - dstInfo.bounds.y1); - if (numedges > MAXEDGES) { - pEdges = malloc((2 + 2 * numedges) * sizeof (*pEdges)); - if (pEdges == NULL) { - SurfaceData_InvokeUnlock(env, dstOps, &dstInfo); - SurfaceData_InvokeUnlock(env, srcOps, &srcInfo); - /* edgeArray should already contain zeros for min/maxy */ - return; - } + numedges = (((jlong) dstInfo.bounds.y2) - ((jlong) dstInfo.bounds.y1)); + if (numedges <= 0) { + pEdges = NULL; + } else if (!JNU_IsNull(env, edgeArray)) { + /* + * Ideally Java should allocate an array large enough, but if + * we ever have a miscommunication about the number of edge + * lines, or if the Java array calculation should overflow to + * a positive number and succeed in allocating an array that + * is too small, we need to verify that it can still hold the + * number of integers that we plan to store to be safe. + */ + jsize edgesize = (*env)->GetArrayLength(env, edgeArray); + /* (edgesize/2 - 1) should avoid any overflow or underflow. */ + pEdges = (((edgesize / 2) - 1) >= numedges) + ? (*env)->GetPrimitiveArrayCritical(env, edgeArray, NULL) + : NULL; + } else if (numedges > MAXEDGES) { + /* numedges variable (jlong) can be at most ((1<<32)-1) */ + /* memsize can overflow a jint, but not a jlong */ + jlong memsize = ((numedges * 2) + 2) * sizeof(*pEdges); + pEdges = (memsize == ((size_t) memsize)) + ? malloc((size_t) memsize) + : NULL; } else { pEdges = edgebuf; + } + if (pEdges == NULL) { + if (numedges > 0) { + JNU_ThrowInternalError(env, "Unable to allocate edge list"); + } + SurfaceData_InvokeUnlock(env, dstOps, &dstInfo); + SurfaceData_InvokeUnlock(env, srcOps, &srcInfo); + /* edgeArray should already contain zeros for min/maxy */ + return; } Transform_GetInfo(env, itxform, &itxInfo); @@ -500,14 +524,13 @@ Java_sun_java2d_loops_TransformHelper_Tr } else { pEdges[0] = pEdges[1] = 0; } + if (!JNU_IsNull(env, edgeArray)) { + (*env)->ReleasePrimitiveArrayCritical(env, edgeArray, pEdges, 0); + } else if (pEdges != edgebuf) { + free(pEdges); + } SurfaceData_InvokeUnlock(env, dstOps, &dstInfo); SurfaceData_InvokeUnlock(env, srcOps, &srcInfo); - if (!JNU_IsNull(env, edgeArray)) { - (*env)->SetIntArrayRegion(env, edgeArray, 0, 2+numedges*2, pEdges); - } - if (pEdges != edgebuf) { - free(pEdges); - } } static void