# HG changeset patch # User bae # Date 1367281246 -14400 # Node ID 384c02152d67afe49e2ef1110f1c90f6b919946b # Parent d82a5acd535d5e4235a364fd76f1e8a725b0e3bc 8012597: Better image channel verification Reviewed-by: ahgross, vadim, prr diff -r d82a5acd535d -r 384c02152d67 src/share/classes/java/awt/image/BufferedImage.java --- a/src/share/classes/java/awt/image/BufferedImage.java Wed Apr 24 15:23:44 2013 +0400 +++ b/src/share/classes/java/awt/image/BufferedImage.java Tue Apr 30 04:20:46 2013 +0400 @@ -654,17 +654,19 @@ int csType = cs.getType(); if (csType != ColorSpace.TYPE_RGB) { if (csType == ColorSpace.TYPE_GRAY - && cm instanceof ComponentColorModel) { + && ComponentColorModel.class.equals(cm.getClass())) { // Check if this might be a child raster (fix for bug 4240596) if (sm instanceof ComponentSampleModel && ((ComponentSampleModel)sm).getPixelStride() != numBands) { imageType = TYPE_CUSTOM; } else if (raster instanceof ByteComponentRaster && + PixelInterleavedSampleModel.class.equals(sm.getClass()) && raster.getNumBands() == 1 && cm.getComponentSize(0) == 8 && ((ByteComponentRaster)raster).getPixelStride() == 1) { imageType = TYPE_BYTE_GRAY; } else if (raster instanceof ShortComponentRaster && + PixelInterleavedSampleModel.class.equals(sm.getClass()) && raster.getNumBands() == 1 && cm.getComponentSize(0) == 16 && ((ShortComponentRaster)raster).getPixelStride() == 1) { @@ -684,7 +686,8 @@ // are correct int pixSize = cm.getPixelSize(); if (iraster.getPixelStride() == 1 && - cm instanceof DirectColorModel && + DirectColorModel.class.equals(cm.getClass()) && + SinglePixelPackedSampleModel.class.equals(sm.getClass()) && (pixSize == 32 || pixSize == 24)) { // Now check on the DirectColorModel params @@ -715,16 +718,21 @@ } // if (rmask == DCM_BGR_RED_MASK && } // if (iraster.getPixelStride() == 1 } // ((raster instanceof IntegerComponentRaster) && - else if ((cm instanceof IndexColorModel) && (numBands == 1) && + else if ((IndexColorModel.class.equals(cm.getClass())) && + (numBands == 1) && (!cm.hasAlpha() || !isAlphaPre)) { IndexColorModel icm = (IndexColorModel) cm; int pixSize = icm.getPixelSize(); - if (raster instanceof BytePackedRaster) { + if (raster instanceof BytePackedRaster && + MultiPixelPackedSampleModel.class.equals(sm.getClass())) + { imageType = TYPE_BYTE_BINARY; } // if (raster instanceof BytePackedRaster) - else if (raster instanceof ByteComponentRaster) { + else if (raster instanceof ByteComponentRaster && + PixelInterleavedSampleModel.class.equals(sm.getClass())) + { ByteComponentRaster braster = (ByteComponentRaster) raster; if (braster.getPixelStride() == 1 && pixSize <= 8) { imageType = TYPE_BYTE_INDEXED; @@ -732,7 +740,8 @@ } } // else if (cm instanceof IndexColorModel) && (numBands == 1)) else if ((raster instanceof ShortComponentRaster) - && (cm instanceof DirectColorModel) + && (DirectColorModel.class.equals(cm.getClass())) + && (SinglePixelPackedSampleModel.class.equals(sm.getClass())) && (numBands == 3) && !cm.hasAlpha()) { @@ -778,12 +787,14 @@ if (is8bit && offs[0] == numBands-1 && offs[1] == numBands-2 && - offs[2] == numBands-3) + offs[2] == numBands-3 && + ComponentColorModel.class.equals(ccm.getClass()) && + PixelInterleavedSampleModel.class.equals(csm.getClass())) { - if (numBands == 3) { + if (numBands == 3 && !ccm.hasAlpha()) { imageType = TYPE_3BYTE_BGR; } - else if (offs[3] == 0) { + else if (offs[3] == 0 && ccm.hasAlpha()) { imageType = (isAlphaPre ? TYPE_4BYTE_ABGR_PRE : TYPE_4BYTE_ABGR); diff -r d82a5acd535d -r 384c02152d67 src/share/native/sun/awt/image/awt_parseImage.c --- a/src/share/native/sun/awt/image/awt_parseImage.c Wed Apr 24 15:23:44 2013 +0400 +++ b/src/share/native/sun/awt/image/awt_parseImage.c Tue Apr 30 04:20:46 2013 +0400 @@ -396,10 +396,39 @@ return 1; } +static int getColorModelType(JNIEnv *env, jobject jcmodel) { + int type = UNKNOWN_CM_TYPE; + + if ((*env)->IsInstanceOf(env, jcmodel, + (*env)->FindClass(env, "java/awt/image/IndexColorModel"))) + { + type = INDEX_CM_TYPE; + } else if ((*env)->IsInstanceOf(env, jcmodel, + (*env)->FindClass(env, "java/awt/image/PackedColorModel"))) + { + if ((*env)->IsInstanceOf(env, jcmodel, + (*env)->FindClass(env, "java/awt/image/DirectColorModel"))) { + type = DIRECT_CM_TYPE; + } + else { + type = PACKED_CM_TYPE; + } + } + else if ((*env)->IsInstanceOf(env, jcmodel, + (*env)->FindClass(env, "java/awt/image/ComponentColorModel"))) + { + type = COMPONENT_CM_TYPE; + } + + return type; +} + int awt_parseColorModel (JNIEnv *env, jobject jcmodel, int imageType, ColorModelS_t *cmP) { /*jmethodID jID; */ jobject jnBits; + jsize nBitsLength; + int i; static jobject s_jdefCM = NULL; @@ -421,15 +450,55 @@ cmP->transparency = (*env)->GetIntField(env, jcmodel, g_CMtransparencyID); + jnBits = (*env)->GetObjectField(env, jcmodel, g_CMnBitsID); + if (jnBits == NULL) { + JNU_ThrowNullPointerException(env, "null nBits structure in CModel"); + return -1; + } + + nBitsLength = (*env)->GetArrayLength(env, jnBits); + if (nBitsLength != cmP->numComponents) { + // invalid number of components? + return -1; + } + + cmP->nBits = NULL; + if (SAFE_TO_ALLOC_2(cmP->numComponents, sizeof(jint))) { + cmP->nBits = (jint *)malloc(cmP->numComponents * sizeof(jint)); + } + + if (cmP->nBits == NULL){ + JNU_ThrowOutOfMemoryError(env, "Out of memory"); + return -1; + } + (*env)->GetIntArrayRegion(env, jnBits, 0, cmP->numComponents, + cmP->nBits); + cmP->maxNbits = 0; + for (i=0; i < cmP->numComponents; i++) { + if (cmP->maxNbits < cmP->nBits[i]) { + cmP->maxNbits = cmP->nBits[i]; + } + } + + cmP->is_sRGB = (*env)->GetBooleanField(env, cmP->jcmodel, g_CMis_sRGBID); + + cmP->csType = (*env)->GetIntField(env, cmP->jcmodel, g_CMcsTypeID); + + cmP->cmType = getColorModelType(env, jcmodel); + + cmP->isDefaultCM = FALSE; + cmP->isDefaultCompatCM = FALSE; + + /* look for standard cases */ if (imageType == java_awt_image_BufferedImage_TYPE_INT_ARGB) { cmP->isDefaultCM = TRUE; cmP->isDefaultCompatCM = TRUE; } else if (imageType == java_awt_image_BufferedImage_TYPE_INT_ARGB_PRE || - imageType == java_awt_image_BufferedImage_TYPE_INT_RGB) { - cmP->isDefaultCompatCM = TRUE; - } else if (imageType == java_awt_image_BufferedImage_TYPE_INT_BGR || + imageType == java_awt_image_BufferedImage_TYPE_INT_RGB || + imageType == java_awt_image_BufferedImage_TYPE_INT_BGR || imageType == java_awt_image_BufferedImage_TYPE_4BYTE_ABGR || - imageType == java_awt_image_BufferedImage_TYPE_4BYTE_ABGR_PRE){ + imageType == java_awt_image_BufferedImage_TYPE_4BYTE_ABGR_PRE) + { cmP->isDefaultCompatCM = TRUE; } else { @@ -450,50 +519,25 @@ cmP->isDefaultCompatCM = cmP->isDefaultCM; } + /* check whether image attributes correspond to default cm */ if (cmP->isDefaultCompatCM) { - cmP->cmType = DIRECT_CM_TYPE; - cmP->nBits = (jint *) malloc(sizeof(jint)*4); - cmP->nBits[0] = cmP->nBits[1] = cmP->nBits[2] = cmP->nBits[3] = 8; - cmP->maxNbits = 8; - cmP->is_sRGB = TRUE; - cmP->csType = java_awt_color_ColorSpace_TYPE_RGB; - - return 1; - } + if (cmP->csType != java_awt_color_ColorSpace_TYPE_RGB || + !cmP->is_sRGB) + { + return -1; + } - jnBits = (*env)->GetObjectField(env, jcmodel, g_CMnBitsID); - if (jnBits == NULL) { - JNU_ThrowNullPointerException(env, "null nBits structure in CModel"); - return -1; - } - - cmP->nBits = NULL; - if (SAFE_TO_ALLOC_2(cmP->numComponents, sizeof(jint))) { - cmP->nBits = (jint *)malloc(cmP->numComponents * sizeof(jint)); - } - if (cmP->nBits == NULL){ - JNU_ThrowOutOfMemoryError(env, "Out of memory"); - return -1; - } - (*env)->GetIntArrayRegion(env, jnBits, 0, cmP->numComponents, - cmP->nBits); - cmP->maxNbits = 0; - for (i=0; i < cmP->numComponents; i++) { - if (cmP->maxNbits < cmP->nBits[i]) { - cmP->maxNbits = cmP->nBits[i]; + for (i = 0; i < cmP->numComponents; i++) { + if (cmP->nBits[i] != 8) { + return -1; + } } } - cmP->is_sRGB = (*env)->GetBooleanField(env, cmP->jcmodel, g_CMis_sRGBID); - - cmP->csType = (*env)->GetIntField(env, cmP->jcmodel, g_CMcsTypeID); - - /* Find out what type of colol model */ + /* Get index color model attributes */ if (imageType == java_awt_image_BufferedImage_TYPE_BYTE_INDEXED || - (*env)->IsInstanceOf(env, jcmodel, - (*env)->FindClass(env, "java/awt/image/IndexColorModel"))) + cmP->cmType == INDEX_CM_TYPE) { - cmP->cmType = INDEX_CM_TYPE; cmP->transIdx = (*env)->GetIntField(env, jcmodel, g_ICMtransIdxID); cmP->mapSize = (*env)->GetIntField(env, jcmodel, g_ICMmapSizeID); cmP->jrgb = (*env)->GetObjectField(env, jcmodel, g_ICMrgbID); @@ -519,31 +563,6 @@ } } } - else if ((*env)->IsInstanceOf(env, jcmodel, - (*env)->FindClass(env, "java/awt/image/PackedColorModel"))) - { - if ((*env)->IsInstanceOf(env, jcmodel, - (*env)->FindClass(env, "java/awt/image/DirectColorModel"))){ - cmP->cmType = DIRECT_CM_TYPE; - } - else { - cmP->cmType = PACKED_CM_TYPE; - } - } - else if ((*env)->IsInstanceOf(env, jcmodel, - (*env)->FindClass(env, "java/awt/image/ComponentColorModel"))) - { - cmP->cmType = COMPONENT_CM_TYPE; - } - else if ((*env)->IsInstanceOf(env, jcmodel, - (*env)->FindClass(env, "java/awt/image/PackedColorModel"))) - { - cmP->cmType = PACKED_CM_TYPE; - } - else { - cmP->cmType = UNKNOWN_CM_TYPE; - } - return 1; } @@ -583,6 +602,13 @@ ColorModelS_t *cmodelP = &imageP->cmodel; int imageType = imageP->imageType; + // check whether raster and color model are compatible + if (cmodelP->numComponents != rasterP->numBands) { + if (cmodelP->cmType != INDEX_CM_TYPE) { + return -1; + } + } + hintP->numChans = imageP->cmodel.numComponents; hintP->colorOrder = NULL; if (SAFE_TO_ALLOC_2(hintP->numChans, sizeof(int))) { @@ -1074,6 +1100,10 @@ jsm = (*env)->GetObjectField(env, rasterP->jraster, g_RasterSampleModelID); jdatabuffer = (*env)->GetObjectField(env, rasterP->jraster, g_RasterDataBufferID); + if (band >= numBands) { + JNU_ThrowInternalError(env, "Band out of range."); + return -1; + } /* Here is the generic code */ jdata = (*env)->NewIntArray(env, maxBytes*rasterP->numBands*maxLines); if (JNU_IsNull(env, jdata)) { @@ -1082,11 +1112,6 @@ } if (band >= 0) { int dOff; - if (band >= numBands) { - (*env)->DeleteLocalRef(env, jdata); - JNU_ThrowInternalError(env, "Band out of range."); - return -1; - } off = 0; for (y=0; y < h; y+=maxLines) { if (y+maxLines > h) { diff -r d82a5acd535d -r 384c02152d67 src/share/native/sun/awt/medialib/awt_ImagingLib.c --- a/src/share/native/sun/awt/medialib/awt_ImagingLib.c Wed Apr 24 15:23:44 2013 +0400 +++ b/src/share/native/sun/awt/medialib/awt_ImagingLib.c Tue Apr 30 04:20:46 2013 +0400 @@ -2605,6 +2605,41 @@ return 0; } +#define ERR_BAD_IMAGE_LAYOUT (-2) + +#define CHECK_DST_ARRAY(start_offset, elements_per_pixel) \ + do { \ + int offset = (start_offset); \ + int lastScanOffset; \ + \ + if (!SAFE_TO_MULT(rasterP->scanlineStride, \ + (rasterP->height - 1))) \ + { \ + return ERR_BAD_IMAGE_LAYOUT; \ + } \ + lastScanOffset = rasterP->scanlineStride * \ + (rasterP->height - 1); \ + \ + if (!SAFE_TO_ADD(offset, lastScanOffset)) { \ + return ERR_BAD_IMAGE_LAYOUT; \ + } \ + lastScanOffset += offset; \ + \ + if (!SAFE_TO_MULT((elements_per_pixel), rasterP->width)) { \ + return ERR_BAD_IMAGE_LAYOUT; \ + } \ + offset = (elements_per_pixel) * rasterP->width; \ + \ + if (!SAFE_TO_ADD(offset, lastScanOffset)) { \ + return ERR_BAD_IMAGE_LAYOUT; \ + } \ + lastScanOffset += offset; \ + \ + if (dataArrayLength < lastScanOffset) { \ + return ERR_BAD_IMAGE_LAYOUT; \ + } \ + } while(0); \ + static int storeImageArray(JNIEnv *env, BufImageS_t *srcP, BufImageS_t *dstP, mlib_image *mlibImP) { @@ -2612,6 +2647,7 @@ unsigned char *cmDataP, *dataP, *cDataP; HintS_t *hintP = &dstP->hints; RasterS_t *rasterP = &dstP->raster; + jsize dataArrayLength = (*env)->GetArrayLength(env, rasterP->jdata); int y; /* REMIND: Store mlib data type? */ @@ -2630,14 +2666,15 @@ if (hintP->packing == BYTE_INTERLEAVED) { /* Write it back to the destination */ + CHECK_DST_ARRAY(hintP->channelOffset, hintP->numChans); cmDataP = (unsigned char *) mlib_ImageGetData(mlibImP); mStride = mlib_ImageGetStride(mlibImP); dataP = (unsigned char *)(*env)->GetPrimitiveArrayCritical(env, rasterP->jdata, NULL); if (dataP == NULL) return 0; - cDataP = dataP + hintP->dataOffset; + cDataP = dataP + hintP->channelOffset; for (y=0; y < rasterP->height; - y++, cmDataP += mStride, cDataP += hintP->sStride) + y++, cmDataP += mStride, cDataP += rasterP->scanlineStride) { memcpy(cDataP, cmDataP, rasterP->width*hintP->numChans); } @@ -2648,13 +2685,14 @@ /* Write it back to the destination */ unsigned short *sdataP, *sDataP; unsigned short *smDataP = (unsigned short *)mlib_ImageGetData(mlibImP); + CHECK_DST_ARRAY(hintP->channelOffset, hintP->numChans); mStride = mlib_ImageGetStride(mlibImP); sdataP = (unsigned short *)(*env)->GetPrimitiveArrayCritical(env, rasterP->jdata, NULL); if (sdataP == NULL) return -1; - sDataP = sdataP + hintP->dataOffset; + sDataP = sdataP + hintP->channelOffset; for (y=0; y < rasterP->height; - y++, smDataP += mStride, sDataP += hintP->sStride) + y++, smDataP += mStride, sDataP += rasterP->scanlineStride) { memcpy(sDataP, smDataP, rasterP->width*hintP->numChans); } @@ -3447,7 +3485,8 @@ unsigned char *inP = inDataP; unsigned char *lineOutP, *outP; jarray jOutDataP; - jint *outDataP; + jsize dataArrayLength; + unsigned char *outDataP; int loff[MAX_NUMBANDS], roff[MAX_NUMBANDS]; if (rasterP->numBands > MAX_NUMBANDS) { @@ -3456,11 +3495,18 @@ /* Grab data ptr, strides, offsets from raster */ jOutDataP = (*env)->GetObjectField(env, rasterP->jraster, g_BCRdataID); + if (JNU_IsNull(env, jOutDataP)) { + return -1; + } + + dataArrayLength = (*env)->GetArrayLength(env, jOutDataP); + CHECK_DST_ARRAY(rasterP->chanOffsets[0], 1); + outDataP = (*env)->GetPrimitiveArrayCritical(env, jOutDataP, 0); if (outDataP == NULL) { return -1; } - lineOutP = (unsigned char *)outDataP + rasterP->chanOffsets[0]; + lineOutP = outDataP + rasterP->chanOffsets[0]; if (component < 0) { for (c=0; c < rasterP->numBands; c++) { @@ -3515,7 +3561,8 @@ unsigned char *inP = inDataP; unsigned short *lineOutP, *outP; jarray jOutDataP; - jint *outDataP; + jsize dataArrayLength; + unsigned short *outDataP; int loff[MAX_NUMBANDS], roff[MAX_NUMBANDS]; if (rasterP->numBands > MAX_NUMBANDS) { @@ -3524,11 +3571,18 @@ /* Grab data ptr, strides, offsets from raster */ jOutDataP = (*env)->GetObjectField(env, rasterP->jraster, g_SCRdataID); + if (JNU_IsNull(env, jOutDataP)) { + return -1; + } + + dataArrayLength = (*env)->GetArrayLength(env, jOutDataP); + CHECK_DST_ARRAY(rasterP->chanOffsets[0], 1); + outDataP = (*env)->GetPrimitiveArrayCritical(env, jOutDataP, 0); if (outDataP == NULL) { return -1; } - lineOutP = (unsigned short *)outDataP + rasterP->chanOffsets[0]; + lineOutP = outDataP + rasterP->chanOffsets[0]; if (component < 0) { for (c=0; c < rasterP->numBands; c++) { @@ -3583,7 +3637,8 @@ unsigned char *inP = inDataP; unsigned int *lineOutP, *outP; jarray jOutDataP; - jint *outDataP; + jsize dataArrayLength; + unsigned int *outDataP; int loff[MAX_NUMBANDS], roff[MAX_NUMBANDS]; if (rasterP->numBands > MAX_NUMBANDS) { @@ -3592,11 +3647,18 @@ /* Grab data ptr, strides, offsets from raster */ jOutDataP = (*env)->GetObjectField(env, rasterP->jraster, g_ICRdataID); + if (JNU_IsNull(env, jOutDataP)) { + return -1; + } + + dataArrayLength = (*env)->GetArrayLength(env, jOutDataP); + CHECK_DST_ARRAY(rasterP->chanOffsets[0], 1); + outDataP = (*env)->GetPrimitiveArrayCritical(env, jOutDataP, 0); if (outDataP == NULL) { return -1; } - lineOutP = (unsigned int *)outDataP + rasterP->chanOffsets[0]; + lineOutP = outDataP + rasterP->chanOffsets[0]; if (component < 0) { for (c=0; c < rasterP->numBands; c++) { @@ -3653,7 +3715,8 @@ unsigned char *inP = inDataP; unsigned char *lineOutP, *outP; jarray jOutDataP; - jint *outDataP; + jsize dataArrayLength; + unsigned char *outDataP; int loff[MAX_NUMBANDS], roff[MAX_NUMBANDS]; int a = rasterP->numBands - 1; @@ -3663,11 +3726,18 @@ /* Grab data ptr, strides, offsets from raster */ jOutDataP = (*env)->GetObjectField(env, rasterP->jraster, g_BCRdataID); + if (JNU_IsNull(env, jOutDataP)) { + return -1; + } + + dataArrayLength = (*env)->GetArrayLength(env, jOutDataP); + CHECK_DST_ARRAY(rasterP->chanOffsets[0], 1); + outDataP = (*env)->GetPrimitiveArrayCritical(env, jOutDataP, 0); if (outDataP == NULL) { return -1; } - lineOutP = (unsigned char *)outDataP + rasterP->chanOffsets[0]; + lineOutP = outDataP + rasterP->chanOffsets[0]; if (component < 0) { for (c=0; c < rasterP->numBands; c++) { @@ -3743,7 +3813,8 @@ unsigned char *inP = inDataP; unsigned short *lineOutP, *outP; jarray jOutDataP; - jint *outDataP; + jsize dataArrayLength; + unsigned short *outDataP; int loff[MAX_NUMBANDS], roff[MAX_NUMBANDS]; int a = rasterP->numBands - 1; @@ -3753,11 +3824,17 @@ /* Grab data ptr, strides, offsets from raster */ jOutDataP = (*env)->GetObjectField(env, rasterP->jraster, g_SCRdataID); + if (JNU_IsNull(env, jOutDataP)) { + return -1; + } + dataArrayLength = (*env)->GetArrayLength(env, jOutDataP); + CHECK_DST_ARRAY(rasterP->chanOffsets[0], 1); + outDataP = (*env)->GetPrimitiveArrayCritical(env, jOutDataP, 0); if (outDataP == NULL) { return -1; } - lineOutP = (unsigned short *)outDataP + rasterP->chanOffsets[0]; + lineOutP = outDataP + rasterP->chanOffsets[0]; if (component < 0) { for (c=0; c < rasterP->numBands; c++) { @@ -3833,7 +3910,8 @@ unsigned char *inP = inDataP; unsigned int *lineOutP, *outP; jarray jOutDataP; - jint *outDataP; + jsize dataArrayLength; + unsigned int *outDataP; int loff[MAX_NUMBANDS], roff[MAX_NUMBANDS]; int a = rasterP->numBands - 1; @@ -3843,11 +3921,18 @@ /* Grab data ptr, strides, offsets from raster */ jOutDataP = (*env)->GetObjectField(env, rasterP->jraster, g_ICRdataID); + if (JNU_IsNull(env, jOutDataP)) { + return -1; + } + + dataArrayLength = (*env)->GetArrayLength(env, jOutDataP); + CHECK_DST_ARRAY(rasterP->chanOffsets[0], 1); + outDataP = (*env)->GetPrimitiveArrayCritical(env, jOutDataP, 0); if (outDataP == NULL) { return -1; } - lineOutP = (unsigned int *)outDataP + rasterP->chanOffsets[0]; + lineOutP = outDataP + rasterP->chanOffsets[0]; if (component < 0) { for (c=0; c < rasterP->numBands; c++) {