Mercurial > hg > release > icedtea7-forest-2.6 > jdk

changeset 9673:ae4153e2be49

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
PR3640, CVE-2018-16435: lcms2: heap-based buffer overflow in SetData function in cmsIT8LoadFromFile From https://github.com/mm2/Little-CMS/commit/768f70ca405cd3159d990e962d54456773bb8cf8
author andrew
date Mon, 22 Oct 2018 06:31:35 +0100
parents 4cf1f648f7fd
children b624599b602c
files src/share/native/sun/java2d/cmm/lcms/cmscgats.c
diffstat 1 files changed, 11 insertions(+), 5 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/native/sun/java2d/cmm/lcms/cmscgats.c	Mon Oct 22 06:23:01 2018 +0100
+++ b/src/share/native/sun/java2d/cmm/lcms/cmscgats.c	Mon Oct 22 06:31:35 2018 +0100
@@ -30,7 +30,7 @@
 //---------------------------------------------------------------------------------
 //
 //  Little Color Management System
-//  Copyright (c) 1998-2017 Marti Maria Saguer
+//  Copyright (c) 1998-2018 Marti Maria Saguer
 //
 // Permission is hereby granted, free of charge, to any person obtaining
 // a copy of this software and associated documentation files (the "Software"),
@@ -1535,10 +1535,16 @@
     t-> nSamples   = atoi(cmsIT8GetProperty(it8, "NUMBER_OF_FIELDS"));
     t-> nPatches   = atoi(cmsIT8GetProperty(it8, "NUMBER_OF_SETS"));
 
-    t-> Data = (char**)AllocChunk (it8, ((cmsUInt32Number) t->nSamples + 1) * ((cmsUInt32Number) t->nPatches + 1) *sizeof (char*));
-    if (t->Data == NULL) {
-
-        SynError(it8, "AllocateDataSet: Unable to allocate data array");
+    if (t -> nSamples < 0 || t->nSamples > 0x7ffe || t->nPatches < 0 || t->nPatches > 0x7ffe)
+    {
+        SynError(it8, "AllocateDataSet: too much data");
+    }
+    else {
+        t->Data = (char**)AllocChunk(it8, ((cmsUInt32Number)t->nSamples + 1) * ((cmsUInt32Number)t->nPatches + 1) * sizeof(char*));
+        if (t->Data == NULL) {
+
+            SynError(it8, "AllocateDataSet: Unable to allocate data array");
+        }
     }
 
 }