OpenJDK / jigsaw / jake / jdk
changeset 2269:1ff19af7b735
6899653: Sun Java Runtime CMM readMabCurveData Buffer Overflow Vulnerability
Reviewed-by: prr, hawtin
| author | bae |
|---|---|
| date | Fri, 19 Feb 2010 22:30:52 +0300 |
| parents | 45ead4a2c48b |
| children | cda01c4b091c |
| files | src/share/native/sun/java2d/cmm/lcms/cmsio1.c src/share/native/sun/java2d/cmm/lcms/cmsxform.c |
| diffstat | 2 files changed, 7 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/native/sun/java2d/cmm/lcms/cmsio1.c Wed Feb 17 13:32:26 2010 +0300 +++ b/src/share/native/sun/java2d/cmm/lcms/cmsio1.c Fri Feb 19 22:30:52 2010 +0300 @@ -1433,6 +1433,9 @@ // If is in memory, the LUT is already there, so throw a copy if (Icc -> TagPtrs[n]) { + if (!_cmsValidateLUT((LPLUT) Icc ->TagPtrs[n])) { + return NULL; + } return cmsDupLUT((LPLUT) Icc ->TagPtrs[n]); }
--- a/src/share/native/sun/java2d/cmm/lcms/cmsxform.c Wed Feb 17 13:32:26 2010 +0300 +++ b/src/share/native/sun/java2d/cmm/lcms/cmsxform.c Fri Feb 19 22:30:52 2010 +0300 @@ -1969,6 +1969,10 @@ goto ErrorCleanup; } + if (Transforms[i] == NULL) { + cmsSignalError(LCMS_ERRC_ABORTED, "cmsCreateMultiprofileTransform: unable to create transform"); + goto ErrorCleanup; + } CurrentColorSpace = ColorSpaceOut; }