From e3262fa4db6bffaed06349d2ba5cbcb15707d28d Mon Sep 17 00:00:00 2001
From: Greg Lewis <glewis@FreeBSD.org>
Date: Sat, 16 Oct 2004 17:00:27 +0000
Subject: . In the ReadChunk() function, change an assert() to be a "test for a
   condition and return NULL".  Take account of the NULL in the   appropriate
 place (which is somewhat worrisome in itself since   ReadChunk() has always
 had the possibility of returning NULL).   This makes loading a font file a
 little more resilient to specially   crafted font data which can be used, for
 example, by an applet to   crash the browser plugin by triggering the
 assert().  Such an applet   was mentioned on Bugtraq:

  http://www.securityfocus.com/archive/1/367331/2004-06-26/2004-07-02/0

  and can be found at

  http://www.illegalaccess.org/cms/?q=node/view/9

  This change stops the browser plugin from crashing.
. Fix some warnings regarding formats in debugging printf's.
---
 .../files/patch-awt_fontmanager_fontObject.cpp     | 53 ++++++++++++++++++++++
 1 file changed, 53 insertions(+)
 create mode 100644 java/jdk16/files/patch-awt_fontmanager_fontObject.cpp

(limited to 'java/jdk16/files')

diff --git a/java/jdk16/files/patch-awt_fontmanager_fontObject.cpp b/java/jdk16/files/patch-awt_fontmanager_fontObject.cpp
new file mode 100644
index 000000000000..3efc10e85b68
--- /dev/null
+++ b/java/jdk16/files/patch-awt_fontmanager_fontObject.cpp
@@ -0,0 +1,53 @@
+$FreeBSD$
+
+--- ../../j2se/src/share/native/sun/awt/font/fontmanager/fontobjects/fontObject.cpp.orig	Wed Jul  7 09:33:52 2004
++++ ../../j2se/src/share/native/sun/awt/font/fontmanager/fontobjects/fontObject.cpp	Wed Jul  7 13:26:03 2004
+@@ -416,7 +416,11 @@
+     fUseCount += 1;
+ 
+     if (length > 0 && fFileSize > 0) {
+-        assert(offset < fFileSize);
++        if (offset >= fFileSize) {
++            fUseCount--;
++            return NULL;
++        }
++
+         if ((offset + length) > fFileSize)
+             length = fFileSize - offset;
+ 
+@@ -431,13 +435,14 @@
+                   "fileFontObject::ReadChunk(UInt32,UInt32,void*)\n"
+                   );
+ #endif
++          fUseCount--;
+           return NULL;
+         }
+ 
+         off_t err = lseek(fFile, offset, SEEK_SET);
+ #ifdef DEBUG
+         if (err == (off_t)-1) {
+-            fprintf(stderr, "seek(%d) returned %d\n", offset, (int) err);
++            fprintf(stderr, "seek(%ld) returned %d\n", offset, (int) err);
+         }
+ #endif
+ 
+@@ -448,7 +453,7 @@
+             int tellvalue = lseek(fFile, 0, SEEK_END);
+ #ifdef DEBUG
+             fprintf(stderr,
+-                    "<%s> of %d, ln %d, rd %d, sz %d, tell %d, err %d\n",
++                    "<%s> of %ld, ln %ld, rd %d, sz %ld, tell %d, err %d\n",
+                     (char *)fFileName, offset, length, (int)bytesRead,
+                     fFileSize, tellvalue, (int) err);
+ #endif
+@@ -1457,7 +1462,9 @@
+               return false;
+             }
+ 
+-            this->ReadChunk(sizeof theHeader, fFontCount * sizeof *offsets, offsets);
++            if (this->ReadChunk(sizeof theHeader, fFontCount * sizeof *offsets, offsets) == NULL) {
++                return false;
++            }
+             for (int i=0; i<fFontCount; i++) {
+                 offsets[i] = GET32(offsets[i]);
+             }
-- 
cgit v1.2.3