Mercurial > hg > release > icedtea7-forest-2.1 > jdk
changeset 1937:b19f5dc13e8c
6872358: JRE AWT setBytePixels vulnerable to Heap Overflow
Reviewed-by: prr, hawtin
author | bae |
---|---|
date | Mon, 14 Sep 2009 11:46:16 +0400 |
parents | 6e7224d650f8 |
children | 4fbe48c706a4 |
files | make/sun/awt/mapfile-vers make/sun/awt/mapfile-vers-linux src/share/classes/sun/awt/image/ImageRepresentation.java src/share/native/sun/awt/image/awt_ImageRep.c |
diffstat | 4 files changed, 9 insertions(+), 103 deletions(-) [+] |
line wrap: on
line diff
--- a/make/sun/awt/mapfile-vers Thu Sep 10 14:15:47 2009 +0400 +++ b/make/sun/awt/mapfile-vers Mon Sep 14 11:46:16 2009 +0400 @@ -53,7 +53,6 @@ Java_sun_awt_image_GifImageDecoder_initIDs; Java_sun_awt_image_GifImageDecoder_parseImage; Java_sun_awt_image_ImageRepresentation_initIDs; - Java_sun_awt_image_ImageRepresentation_setBytePixels; Java_sun_awt_image_ImageRepresentation_setDiffICM; Java_sun_awt_image_ImageRepresentation_setICMpixels; Java_sun_awt_image_ImagingLib_convolveBI;
--- a/make/sun/awt/mapfile-vers-linux Thu Sep 10 14:15:47 2009 +0400 +++ b/make/sun/awt/mapfile-vers-linux Mon Sep 14 11:46:16 2009 +0400 @@ -55,7 +55,6 @@ Java_sun_awt_image_GifImageDecoder_parseImage; Java_sun_awt_image_Image_initIDs; Java_sun_awt_image_ImageRepresentation_initIDs; - Java_sun_awt_image_ImageRepresentation_setBytePixels; Java_sun_awt_image_ImageRepresentation_setDiffICM; Java_sun_awt_image_ImageRepresentation_setICMpixels; Java_sun_awt_image_ImagingLib_convolveBI;
--- a/src/share/classes/sun/awt/image/ImageRepresentation.java Thu Sep 10 14:15:47 2009 +0400 +++ b/src/share/classes/sun/awt/image/ImageRepresentation.java Mon Sep 14 11:46:16 2009 +0400 @@ -336,10 +336,6 @@ public native void setICMpixels(int x, int y, int w, int h, int[] lut, byte[] pix, int off, int scansize, IntegerComponentRaster ict); - - public native void setBytePixels(int x, int y, int w, int h, byte[] pix, - int off, int scansize, - ByteComponentRaster bct, int chanOff); public native int setDiffICM(int x, int y, int w, int h, int[] lut, int transPix, int numLut, IndexColorModel icm, byte[] pix, int off, int scansize, @@ -450,27 +446,17 @@ (biRaster instanceof ByteComponentRaster) && (biRaster.getNumDataElements() == 1)){ ByteComponentRaster bt = (ByteComponentRaster) biRaster; - if (w*h > 200) { - if (off == 0 && scansize == w) { - bt.putByteData(x, y, w, h, pix); - } - else { - byte[] bpix = new byte[w]; - poff = off; - for (int yoff=y; yoff < y+h; yoff++) { - System.arraycopy(pix, poff, bpix, 0, w); - bt.putByteData(x, yoff, w, 1, bpix); - poff += scansize; - } - } + if (off == 0 && scansize == w) { + bt.putByteData(x, y, w, h, pix); } else { - // Only is faster if #pixels - // Note that setBytePixels modifies the raster directly - // so we must mark it as changed afterwards - setBytePixels(x, y, w, h, pix, off, scansize, bt, - bt.getDataOffset(0)); - bt.markDirty(); + byte[] bpix = new byte[w]; + poff = off; + for (int yoff=y; yoff < y+h; yoff++) { + System.arraycopy(pix, poff, bpix, 0, w); + bt.putByteData(x, yoff, w, 1, bpix); + poff += scansize; + } } } else {
--- a/src/share/native/sun/awt/image/awt_ImageRep.c Thu Sep 10 14:15:47 2009 +0400 +++ b/src/share/native/sun/awt/image/awt_ImageRep.c Mon Sep 14 11:46:16 2009 +0400 @@ -142,84 +142,6 @@ } -JNIEXPORT void JNICALL -Java_sun_awt_image_ImageRepresentation_setBytePixels(JNIEnv *env, jclass cls, - jint x, jint y, jint w, - jint h, jbyteArray jpix, - jint off, jint scansize, - jobject jbct, - jint chanOffs) -{ - int sStride; - int pixelStride; - jobject jdata; - unsigned char *srcData; - unsigned char *dstData; - unsigned char *dataP; - unsigned char *pixP; - int i; - int j; - - - if (JNU_IsNull(env, jpix)) { - JNU_ThrowNullPointerException(env, "NullPointerException"); - return; - } - - sStride = (*env)->GetIntField(env, jbct, g_BCRscanstrID); - pixelStride = (*env)->GetIntField(env, jbct, g_BCRpixstrID); - jdata = (*env)->GetObjectField(env, jbct, g_BCRdataID); - - srcData = (unsigned char *) (*env)->GetPrimitiveArrayCritical(env, jpix, - NULL); - if (srcData == NULL) { - /* out of memory error already thrown */ - return; - } - - dstData = (unsigned char *) (*env)->GetPrimitiveArrayCritical(env, jdata, - NULL); - if (dstData == NULL) { - /* out of memory error already thrown */ - (*env)->ReleasePrimitiveArrayCritical(env, jpix, srcData, JNI_ABORT); - return; - } - - dataP = dstData + chanOffs + y*sStride + x*pixelStride; - pixP = srcData + off; - if (pixelStride == 1) { - if (sStride == scansize && scansize == w) { - memcpy(dataP, pixP, w*h); - } - else { - for (i=0; i < h; i++) { - memcpy(dataP, pixP, w); - dataP += sStride; - pixP += scansize; - } - } - } - else { - unsigned char *ydataP = dataP; - unsigned char *ypixP = pixP; - - for (i=0; i < h; i++) { - dataP = ydataP; - pixP = ypixP; - for (j=0; j < w; j++) { - *dataP = *pixP++; - dataP += pixelStride; - } - ydataP += sStride; - ypixP += scansize; - } - } - - (*env)->ReleasePrimitiveArrayCritical(env, jpix, srcData, JNI_ABORT); - (*env)->ReleasePrimitiveArrayCritical(env, jdata, dstData, JNI_ABORT); - -} - JNIEXPORT jint JNICALL Java_sun_awt_image_ImageRepresentation_setDiffICM(JNIEnv *env, jclass cls, jint x, jint y, jint w,