Mercurial > hg > release > icedtea7-forest-2.0 > jdk
changeset 1563:597377f1ee71
6823373: [ZDI-CAN-460] Java Web Start JPEG header parsing needs more scruity
Reviewed-by: igor
| author | bae |
|---|---|
| date | Fri, 08 May 2009 16:15:15 +0400 |
| parents | c6ea5b6c3a8d |
| children | 3de7b0daf355 |
| files | src/share/native/sun/awt/splashscreen/splashscreen_jpeg.c |
| diffstat | 1 files changed, 25 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/native/sun/awt/splashscreen/splashscreen_jpeg.c Fri May 08 15:57:33 2009 +0400 +++ b/src/share/native/sun/awt/splashscreen/splashscreen_jpeg.c Fri May 08 16:15:15 2009 +0400 @@ -139,21 +139,45 @@ splash->width = cinfo->output_width; splash->height = cinfo->output_height; + + if (!SAFE_TO_ALLOC(splash->imageFormat.depthBytes, splash->width)) { + return 0; + } stride = splash->width * splash->imageFormat.depthBytes; + if (!SAFE_TO_ALLOC(stride, splash->height)) { + return 0; + } + if (!SAFE_TO_ALLOC(cinfo->output_width, cinfo->output_components)) { + return 0; + } + splash->frameCount = 1; splash->frames = (SplashImage *) malloc(sizeof(SplashImage) * splash->frameCount); + if (splash->frames == NULL) { + return 0; + } memset(splash->frames, 0, sizeof(SplashImage) * splash->frameCount); + splash->loopCount = 1; + splash->frames[0].delay = 0; splash->frames[0].bitmapBits = malloc(stride * splash->height); - splash->frames[0].delay = 0; + if (splash->frames[0].bitmapBits == NULL) { + free(splash->frames); + return 0; + } rowStride = cinfo->output_width * cinfo->output_components; buffer = (*cinfo->mem->alloc_sarray) ((j_common_ptr) cinfo, JPOOL_IMAGE, rowStride, 1); + if (buffer == NULL) { + free(splash->frames[0].bitmapBits); + free(splash->frames); + return 0; + } initFormat(&srcFormat, 0x00FF0000, 0x0000FF00, 0x000000FF, 0x00000000); srcFormat.byteOrder = BYTE_ORDER_LSBFIRST;