diff options
Diffstat (limited to 'java/openjdk6/files/icedtea/security/20130304/8007014.patch')
| -rw-r--r-- | java/openjdk6/files/icedtea/security/20130304/8007014.patch | 463 |
1 files changed, 0 insertions, 463 deletions
diff --git a/java/openjdk6/files/icedtea/security/20130304/8007014.patch b/java/openjdk6/files/icedtea/security/20130304/8007014.patch deleted file mode 100644 index 85cdc4cd8adb..000000000000 --- a/java/openjdk6/files/icedtea/security/20130304/8007014.patch +++ /dev/null @@ -1,463 +0,0 @@ -# HG changeset patch -# User bae -# Date 1360857111 -14400 -# Node ID 0dcf8ad3e63dfa4bb929bf2de99b95f18f5ea1c8 -# Parent 8a980f97e66a6433a1cdc946c90aff4433ea505c -8007014: Improve image handling -Reviewed-by: prr, mschoene, jgodinez - ---- jdk/src/share/classes/sun/awt/image/ByteComponentRaster.java Tue Feb 26 12:42:17 2013 -0800 -+++ jdk/src/share/classes/sun/awt/image/ByteComponentRaster.java Thu Feb 14 19:51:51 2013 +0400 -@@ -868,6 +868,15 @@ public class ByteComponentRaster extends - * or if data buffer has not enough capacity. - */ - protected final void verify() { -+ /* Need to re-verify the dimensions since a sample model may be -+ * specified to the constructor -+ */ -+ if (width <= 0 || height <= 0 || -+ height > (Integer.MAX_VALUE / width)) -+ { -+ throw new RasterFormatException("Invalid raster dimension"); -+ } -+ - for (int i = 0; i < dataOffsets.length; i++) { - if (dataOffsets[i] < 0) { - throw new RasterFormatException("Data offsets for band " + i -@@ -905,12 +914,13 @@ public class ByteComponentRaster extends - lastPixelOffset += lastScanOffset; - - for (int i = 0; i < numDataElements; i++) { -- size = lastPixelOffset + dataOffsets[i]; - if (dataOffsets[i] > (Integer.MAX_VALUE - lastPixelOffset)) { - throw new RasterFormatException("Incorrect band offset: " - + dataOffsets[i]); - - } -+ -+ size = lastPixelOffset + dataOffsets[i]; - - if (size > maxSize) { - maxSize = size; ---- jdk/src/share/classes/sun/awt/image/BytePackedRaster.java Tue Feb 26 12:42:17 2013 -0800 -+++ jdk/src/share/classes/sun/awt/image/BytePackedRaster.java Thu Feb 14 19:51:51 2013 +0400 -@@ -1368,11 +1368,35 @@ public class BytePackedRaster extends Su - throw new RasterFormatException("Data offsets must be >= 0"); - } - -+ /* Need to re-verify the dimensions since a sample model may be -+ * specified to the constructor -+ */ -+ if (width <= 0 || height <= 0 || -+ height > (Integer.MAX_VALUE / width)) -+ { -+ throw new RasterFormatException("Invalid raster dimension"); -+ } -+ -+ -+ /* -+ * pixelBitstride was verified in constructor, so just make -+ * sure that it is safe to multiply it by width. -+ */ -+ if ((width - 1) > Integer.MAX_VALUE / pixelBitStride) { -+ throw new RasterFormatException("Invalid raster dimension"); -+ } -+ -+ if (scanlineStride < 0 || -+ scanlineStride > (Integer.MAX_VALUE / height)) -+ { -+ throw new RasterFormatException("Invalid scanline stride"); -+ } -+ - int lastbit = (dataBitOffset - + (height-1) * scanlineStride * 8 - + (width-1) * pixelBitStride - + pixelBitStride - 1); -- if (lastbit / 8 >= data.length) { -+ if (lastbit < 0 || lastbit / 8 >= data.length) { - throw new RasterFormatException("raster dimensions overflow " + - "array bounds"); - } ---- jdk/src/share/classes/sun/awt/image/IntegerComponentRaster.java Tue Feb 26 12:42:17 2013 -0800 -+++ jdk/src/share/classes/sun/awt/image/IntegerComponentRaster.java Thu Feb 14 19:51:51 2013 +0400 -@@ -208,7 +208,7 @@ public class IntegerComponentRaster exte - " SinglePixelPackedSampleModel"); - } - -- verify(false); -+ verify(); - } - - -@@ -629,16 +629,26 @@ public class IntegerComponentRaster exte - } - - /** -- * Verify that the layout parameters are consistent with -- * the data. If strictCheck -- * is false, this method will check for ArrayIndexOutOfBounds conditions. If -- * strictCheck is true, this method will check for additional error -- * conditions such as line wraparound (width of a line greater than -- * the scanline stride). -- * @return String Error string, if the layout is incompatible with -- * the data. Otherwise returns null. -- */ -- private void verify (boolean strictCheck) { -+ * Verify that the layout parameters are consistent with the data. -+ * -+ * The method verifies whether scanline stride and pixel stride do not -+ * cause an integer overflow during calculation of a position of the pixel -+ * in data buffer. It also verifies whether the data buffer has enough data -+ * to correspond the raster layout attributes. -+ * -+ * @throws RasterFormatException if an integer overflow is detected, -+ * or if data buffer has not enough capacity. -+ */ -+ protected final void verify() { -+ /* Need to re-verify the dimensions since a sample model may be -+ * specified to the constructor -+ */ -+ if (width <= 0 || height <= 0 || -+ height > (Integer.MAX_VALUE / width)) -+ { -+ throw new RasterFormatException("Invalid raster dimension"); -+ } -+ - if (dataOffsets[0] < 0) { - throw new RasterFormatException("Data offset ("+dataOffsets[0]+ - ") must be >= 0"); -@@ -647,17 +657,46 @@ public class IntegerComponentRaster exte - int maxSize = 0; - int size; - -- for (int i=0; i < numDataElements; i++) { -- size = (height-1)*scanlineStride + (width-1)*pixelStride + -- dataOffsets[i]; -+ // we can be sure that width and height are greater than 0 -+ if (scanlineStride < 0 || -+ scanlineStride > (Integer.MAX_VALUE / height)) -+ { -+ // integer overflow -+ throw new RasterFormatException("Incorrect scanline stride: " -+ + scanlineStride); -+ } -+ int lastScanOffset = (height - 1) * scanlineStride; -+ -+ if (pixelStride < 0 || -+ pixelStride > (Integer.MAX_VALUE / width)) -+ { -+ // integer overflow -+ throw new RasterFormatException("Incorrect pixel stride: " -+ + pixelStride); -+ } -+ int lastPixelOffset = (width - 1) * pixelStride; -+ -+ if (lastPixelOffset > (Integer.MAX_VALUE - lastScanOffset)) { -+ // integer overflow -+ throw new RasterFormatException("Incorrect raster attributes"); -+ } -+ lastPixelOffset += lastScanOffset; -+ -+ for (int i = 0; i < numDataElements; i++) { -+ if (dataOffsets[i] > (Integer.MAX_VALUE - lastPixelOffset)) { -+ throw new RasterFormatException("Incorrect band offset: " -+ + dataOffsets[i]); -+ } -+ -+ size = lastPixelOffset + dataOffsets[i]; -+ - if (size > maxSize) { - maxSize = size; - } - } - if (data.length < maxSize) { -- throw new RasterFormatException("Data array too small (should be "+ -- maxSize -- +" but is "+data.length+" )"); -+ throw new RasterFormatException("Data array too small (should be " -+ + maxSize + " )"); - } - } - ---- jdk/src/share/classes/sun/awt/image/IntegerInterleavedRaster.java Tue Feb 26 12:42:17 2013 -0800 -+++ jdk/src/share/classes/sun/awt/image/IntegerInterleavedRaster.java Thu Feb 14 19:51:51 2013 +0400 -@@ -151,7 +151,7 @@ public class IntegerInterleavedRaster ex - throw new RasterFormatException("IntegerInterleavedRasters must have"+ - " SinglePixelPackedSampleModel"); - } -- verify(false); -+ verify(); - } - - -@@ -540,31 +540,6 @@ public class IntegerInterleavedRaster ex - return createCompatibleWritableRaster(width,height); - } - -- /** -- * Verify that the layout parameters are consistent with -- * the data. If strictCheck -- * is false, this method will check for ArrayIndexOutOfBounds conditions. If -- * strictCheck is true, this method will check for additional error -- * conditions such as line wraparound (width of a line greater than -- * the scanline stride). -- * @return String Error string, if the layout is incompatible with -- * the data. Otherwise returns null. -- */ -- private void verify (boolean strictCheck) { -- int maxSize = 0; -- int size; -- -- size = (height-1)*scanlineStride + (width-1) + dataOffsets[0]; -- if (size > maxSize) { -- maxSize = size; -- } -- if (data.length < maxSize) { -- throw new RasterFormatException("Data array too small (should be "+ -- maxSize -- +" but is "+data.length+" )"); -- } -- } -- - public String toString() { - return new String ("IntegerInterleavedRaster: width = "+width - +" height = " + height ---- jdk/src/share/classes/sun/awt/image/ShortComponentRaster.java Tue Feb 26 12:42:17 2013 -0800 -+++ jdk/src/share/classes/sun/awt/image/ShortComponentRaster.java Thu Feb 14 19:51:51 2013 +0400 -@@ -802,6 +802,15 @@ public class ShortComponentRaster extend - * or if data buffer has not enough capacity. - */ - protected final void verify() { -+ /* Need to re-verify the dimensions since a sample model may be -+ * specified to the constructor -+ */ -+ if (width <= 0 || height <= 0 || -+ height > (Integer.MAX_VALUE / width)) -+ { -+ throw new RasterFormatException("Invalid raster dimension"); -+ } -+ - for (int i = 0; i < dataOffsets.length; i++) { - if (dataOffsets[i] < 0) { - throw new RasterFormatException("Data offsets for band " + i -@@ -839,11 +848,12 @@ public class ShortComponentRaster extend - lastPixelOffset += lastScanOffset; - - for (int i = 0; i < numDataElements; i++) { -- size = lastPixelOffset + dataOffsets[i]; - if (dataOffsets[i] > (Integer.MAX_VALUE - lastPixelOffset)) { - throw new RasterFormatException("Incorrect band offset: " - + dataOffsets[i]); - } -+ -+ size = lastPixelOffset + dataOffsets[i]; - - if (size > maxSize) { - maxSize = size; ---- jdk/src/share/native/sun/awt/image/awt_parseImage.c Tue Feb 26 12:42:17 2013 -0800 -+++ jdk/src/share/native/sun/awt/image/awt_parseImage.c Thu Feb 14 19:51:51 2013 +0400 -@@ -34,6 +34,7 @@ - #include "java_awt_color_ColorSpace.h" - #include "awt_Mlib.h" - #include "safe_alloc.h" -+#include "safe_math.h" - - static int setHints(JNIEnv *env, BufImageS_t *imageP); - ---- jdk/src/share/native/sun/awt/medialib/awt_ImagingLib.c Tue Feb 26 12:42:17 2013 -0800 -+++ jdk/src/share/native/sun/awt/medialib/awt_ImagingLib.c Thu Feb 14 19:51:51 2013 +0400 -@@ -42,6 +42,7 @@ - #include "awt_Mlib.h" - #include "gdefs.h" - #include "safe_alloc.h" -+#include "safe_math.h" - - /*************************************************************************** - * Definitions * -@@ -1993,13 +1994,23 @@ cvtCustomToDefault(JNIEnv *env, BufImage - unsigned char *dP = dataP; - #define NUM_LINES 10 - int numLines = NUM_LINES; -- int nbytes = rasterP->width*4*NUM_LINES; -+ /* it is safe to calculate the scan length, because width has been verified -+ * on creation of the mlib image -+ */ -+ int scanLength = rasterP->width * 4; -+ -+ int nbytes = 0; -+ if (!SAFE_TO_MULT(numLines, scanLength)) { -+ return -1; -+ } -+ -+ nbytes = numLines * scanLength; - - for (y=0; y < rasterP->height; y+=numLines) { - /* getData, one scanline at a time */ - if (y+numLines > rasterP->height) { - numLines = rasterP->height - y; -- nbytes = rasterP->width*4*numLines; -+ nbytes = numLines * scanLength; - } - jpixels = (*env)->CallObjectMethod(env, imageP->jimage, - g_BImgGetRGBMID, 0, y, -@@ -2129,8 +2140,14 @@ allocateArray(JNIEnv *env, BufImageS_t * - if (cvtToDefault) { - int status = 0; - *mlibImagePP = (*sMlibSysFns.createFP)(MLIB_BYTE, 4, width, height); -+ if (*mlibImagePP == NULL) { -+ return -1; -+ } - cDataP = (unsigned char *) mlib_ImageGetData(*mlibImagePP); -- /* Make sure the image is cleared */ -+ /* Make sure the image is cleared. -+ * NB: the image dimension is already verified, so we can -+ * safely calculate the length of the buffer. -+ */ - memset(cDataP, 0, width*height*4); - - if (!isSrc) { -@@ -2380,6 +2397,9 @@ allocateRasterArray(JNIEnv *env, RasterS - case sun_awt_image_IntegerComponentRaster_TYPE_BYTE_PACKED_SAMPLES: - *mlibImagePP = (*sMlibSysFns.createFP)(MLIB_BYTE, rasterP->numBands, - width, height); -+ if (*mlibImagePP == NULL) { -+ return -1; -+ } - if (!isSrc) return 0; - cDataP = (unsigned char *) mlib_ImageGetData(*mlibImagePP); - return expandPackedBCR(env, rasterP, -1, cDataP); -@@ -2388,6 +2408,9 @@ allocateRasterArray(JNIEnv *env, RasterS - if (rasterP->sppsm.maxBitSize <= 8) { - *mlibImagePP = (*sMlibSysFns.createFP)(MLIB_BYTE, rasterP->numBands, - width, height); -+ if (*mlibImagePP == NULL) { -+ return -1; -+ } - if (!isSrc) return 0; - cDataP = (unsigned char *) mlib_ImageGetData(*mlibImagePP); - return expandPackedSCR(env, rasterP, -1, cDataP); -@@ -2397,6 +2420,9 @@ allocateRasterArray(JNIEnv *env, RasterS - if (rasterP->sppsm.maxBitSize <= 8) { - *mlibImagePP = (*sMlibSysFns.createFP)(MLIB_BYTE, rasterP->numBands, - width, height); -+ if (*mlibImagePP == NULL) { -+ return -1; -+ } - if (!isSrc) return 0; - cDataP = (unsigned char *) mlib_ImageGetData(*mlibImagePP); - return expandPackedICR(env, rasterP, -1, cDataP); ---- jdk/src/share/native/sun/awt/medialib/mlib_ImageCreate.c Tue Feb 26 12:42:17 2013 -0800 -+++ jdk/src/share/native/sun/awt/medialib/mlib_ImageCreate.c Thu Feb 14 19:51:51 2013 +0400 -@@ -120,6 +120,7 @@ - #include "mlib_image.h" - #include "mlib_ImageRowTable.h" - #include "mlib_ImageCreate.h" -+#include "safe_math.h" - - /***************************************************************/ - mlib_image* mlib_ImageSet(mlib_image *image, -@@ -247,25 +248,47 @@ mlib_image *mlib_ImageCreate(mlib_type t - return NULL; - }; - -+ if (!SAFE_TO_MULT(width, channels)) { -+ return NULL; -+ } -+ -+ wb = width * channels; -+ - switch (type) { - case MLIB_DOUBLE: -- wb = width * channels * 8; -+ if (!SAFE_TO_MULT(wb, 8)) { -+ return NULL; -+ } -+ wb *= 8; - break; - case MLIB_FLOAT: - case MLIB_INT: -- wb = width * channels * 4; -+ if (!SAFE_TO_MULT(wb, 4)) { -+ return NULL; -+ } -+ wb *= 4; - break; - case MLIB_USHORT: - case MLIB_SHORT: -- wb = width * channels * 2; -+ if (!SAFE_TO_MULT(wb, 4)) { -+ return NULL; -+ } -+ wb *= 2; - break; - case MLIB_BYTE: -- wb = width * channels; -+ // wb is ready - break; - case MLIB_BIT: -- wb = (width * channels + 7) / 8; -+ if (!SAFE_TO_ADD(7, wb)) { -+ return NULL; -+ } -+ wb = (wb + 7) / 8; - break; - default: -+ return NULL; -+ } -+ -+ if (!SAFE_TO_MULT(wb, height)) { - return NULL; - } - ---- jdk/src/share/native/sun/awt/medialib/safe_alloc.h Tue Feb 26 12:42:17 2013 -0800 -+++ jdk/src/share/native/sun/awt/medialib/safe_alloc.h Thu Feb 14 19:51:51 2013 +0400 -@@ -41,10 +41,4 @@ - (((w) > 0) && ((h) > 0) && ((sz) > 0) && \ - (((0xffffffffu / ((juint)(w))) / ((juint)(h))) > ((juint)(sz)))) - --#define SAFE_TO_MULT(a, b) \ -- (((a) > 0) && ((b) >= 0) && ((0x7fffffff / (a)) > (b))) -- --#define SAFE_TO_ADD(a, b) \ -- (((a) >= 0) && ((b) >= 0) && ((0x7fffffff - (a)) > (b))) -- - #endif // __SAFE_ALLOC_H__ ---- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ jdk/src/share/native/sun/awt/medialib/safe_math.h Thu Feb 14 19:51:51 2013 +0400 -@@ -0,0 +1,35 @@ -+/* -+ * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+#ifndef __SAFE_MATH_H__ -+#define __SAFE_MATH_H__ -+ -+#define SAFE_TO_MULT(a, b) \ -+ (((a) > 0) && ((b) >= 0) && ((0x7fffffff / (a)) > (b))) -+ -+#define SAFE_TO_ADD(a, b) \ -+ (((a) >= 0) && ((b) >= 0) && ((0x7fffffff - (a)) > (b))) -+ -+#endif // __SAFE_MATH_H__ - |