# HG changeset patch # User bae # Date 1252577078 -14400 # Node ID 89ffcfc5fc26503db3de27f17d463d04e83ccabd # Parent d8eff41661bf3ed71606dfcc65a88d72a87c0be6 6632445: DoS from parsing BMPs with UNC ICC links Reviewed-by: prr, hawtin diff -r d8eff41661bf -r 89ffcfc5fc26 jdk/src/share/classes/com/sun/imageio/plugins/bmp/BMPImageReader.java --- a/jdk/src/share/classes/com/sun/imageio/plugins/bmp/BMPImageReader.java Thu Sep 10 13:52:27 2009 +0400 +++ b/jdk/src/share/classes/com/sun/imageio/plugins/bmp/BMPImageReader.java Thu Sep 10 14:04:38 2009 +0400 @@ -62,6 +62,8 @@ import java.io.*; import java.nio.*; +import java.security.AccessController; +import java.security.PrivilegedAction; import java.util.ArrayList; import java.util.Iterator; import java.util.StringTokenizer; @@ -502,12 +504,18 @@ iis.reset(); try { - if (metadata.colorSpace == PROFILE_LINKED) + if (metadata.colorSpace == PROFILE_LINKED && + isLinkedProfileAllowed() && + !isUncOrDevicePath(profile)) + { + String path = new String(profile, "windows-1252"); + colorSpace = - new ICC_ColorSpace(ICC_Profile.getInstance(new String(profile))); - else + new ICC_ColorSpace(ICC_Profile.getInstance(path)); + } else { colorSpace = new ICC_ColorSpace(ICC_Profile.getInstance(profile)); + } } catch (Exception e) { colorSpace = ColorSpace.getInstance(ColorSpace.CS_sRGB); } @@ -1745,4 +1753,69 @@ public void sequenceStarted(ImageReader src, int minIndex) {} public void readAborted(ImageReader src) {} } + + private static Boolean isLinkedProfileDisabled = null; + + private static boolean isLinkedProfileAllowed() { + if (isLinkedProfileDisabled == null) { + PrivilegedAction a = new PrivilegedAction() { + public Boolean run() { + return Boolean.getBoolean("sun.imageio.plugins.bmp.disableLinkedProfiles"); + } + }; + isLinkedProfileDisabled = AccessController.doPrivileged(a); + } + return !isLinkedProfileDisabled; + } + + private static Boolean isWindowsPlatform = null; + + /** + * Verifies whether the byte array contans a unc path. + * Non-UNC path examples: + * c:\path\to\file - simple notation + * \\?\c:\path\to\file - long notation + * + * UNC path examples: + * \\server\share - a UNC path in simple notation + * \\?\UNC\server\share - a UNC path in long notation + * \\.\some\device - a path to device. + */ + private static boolean isUncOrDevicePath(byte[] p) { + if (isWindowsPlatform == null) { + PrivilegedAction a = new PrivilegedAction() { + public Boolean run() { + String osname = System.getProperty("os.name"); + return (osname != null && + osname.toLowerCase().startsWith("win")); + } + }; + isWindowsPlatform = AccessController.doPrivileged(a); + } + + if (!isWindowsPlatform) { + /* no need for the check on platforms except windows */ + return false; + } + + /* normalize prefix of the path */ + if (p[0] == '/') p[0] = '\\'; + if (p[1] == '/') p[1] = '\\'; + if (p[3] == '/') p[3] = '\\'; + + + if ((p[0] == '\\') && (p[1] == '\\')) { + if ((p[2] == '?') && (p[3] == '\\')) { + // long path: whether unc or local + return ((p[4] == 'U' || p[4] == 'u') && + (p[5] == 'N' || p[5] == 'n') && + (p[6] == 'C' || p[6] == 'c')); + } else { + // device path or short unc notation + return true; + } + } else { + return false; + } + } }