OpenJDK / amber / amber
changeset 6868:f9131565859e
6963489: ZDI-CAN-803: Sun JRE ICC Profile Device Information Tag Remote Code Execution Vulnerability
Reviewed-by: prr
| author | bae |
|---|---|
| date | Thu, 01 Jul 2010 12:04:14 +0400 |
| parents | 3e770ac705b6 |
| children | 7c6ddf135745 |
| files | jdk/src/share/native/sun/java2d/cmm/lcms/LCMS.c jdk/src/share/native/sun/java2d/cmm/lcms/cmsxform.c |
| diffstat | 2 files changed, 8 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/jdk/src/share/native/sun/java2d/cmm/lcms/LCMS.c Wed Jun 30 16:24:37 2010 +0100 +++ b/jdk/src/share/native/sun/java2d/cmm/lcms/LCMS.c Thu Jul 01 12:04:14 2010 +0400 @@ -190,12 +190,13 @@ "sTrans.xf == NULL"); JNU_ThrowByName(env, "java/awt/color/CMMException", "Cannot get color transform"); + } else { + Disposer_AddRecord(env, disposerRef, LCMS_freeTransform, sTrans.j); } if (iccArray != &_iccArray[0]) { free(iccArray); } - Disposer_AddRecord(env, disposerRef, LCMS_freeTransform, sTrans.j); return sTrans.j; }
--- a/jdk/src/share/native/sun/java2d/cmm/lcms/cmsxform.c Wed Jun 30 16:24:37 2010 +0100 +++ b/jdk/src/share/native/sun/java2d/cmm/lcms/cmsxform.c Thu Jul 01 12:04:14 2010 +0400 @@ -687,6 +687,9 @@ LPGAMMATABLE Shapes1[3]; GrayTRC = cmsReadICCGamma(hProfile, icSigGrayTRCTag); + if (!GrayTRC) { + return NULL; + } FromLstarToXYZ(GrayTRC, Shapes1); // Reversing must be done after curve translation @@ -703,6 +706,9 @@ // Normal case GrayTRC = cmsReadICCGammaReversed(hProfile, icSigGrayTRCTag); // Y + if (!GrayTRC) { + return NULL; + } Shapes[0] = cmsDupGamma(GrayTRC); Shapes[1] = cmsDupGamma(GrayTRC);