# HG changeset patch # User bae # Date 1252914376 -14400 # Node ID a9ca0ff3386297748ca3b56413f6d2de86b3f7fe # Parent 8925b5c1334bd7e258926843a01ebd80ab6bac9b 6872358: JRE AWT setBytePixels vulnerable to Heap Overflow Reviewed-by: prr, hawtin diff -r 8925b5c1334b -r a9ca0ff33862 jdk/make/sun/awt/mapfile-vers --- a/jdk/make/sun/awt/mapfile-vers Thu Sep 10 14:15:47 2009 +0400 +++ b/jdk/make/sun/awt/mapfile-vers Mon Sep 14 11:46:16 2009 +0400 @@ -53,7 +53,6 @@ Java_sun_awt_image_GifImageDecoder_initIDs; Java_sun_awt_image_GifImageDecoder_parseImage; Java_sun_awt_image_ImageRepresentation_initIDs; - Java_sun_awt_image_ImageRepresentation_setBytePixels; Java_sun_awt_image_ImageRepresentation_setDiffICM; Java_sun_awt_image_ImageRepresentation_setICMpixels; Java_sun_awt_image_ImagingLib_convolveBI; diff -r 8925b5c1334b -r a9ca0ff33862 jdk/make/sun/awt/mapfile-vers-linux --- a/jdk/make/sun/awt/mapfile-vers-linux Thu Sep 10 14:15:47 2009 +0400 +++ b/jdk/make/sun/awt/mapfile-vers-linux Mon Sep 14 11:46:16 2009 +0400 @@ -55,7 +55,6 @@ Java_sun_awt_image_GifImageDecoder_parseImage; Java_sun_awt_image_Image_initIDs; Java_sun_awt_image_ImageRepresentation_initIDs; - Java_sun_awt_image_ImageRepresentation_setBytePixels; Java_sun_awt_image_ImageRepresentation_setDiffICM; Java_sun_awt_image_ImageRepresentation_setICMpixels; Java_sun_awt_image_ImagingLib_convolveBI; diff -r 8925b5c1334b -r a9ca0ff33862 jdk/src/share/classes/sun/awt/image/ImageRepresentation.java --- a/jdk/src/share/classes/sun/awt/image/ImageRepresentation.java Thu Sep 10 14:15:47 2009 +0400 +++ b/jdk/src/share/classes/sun/awt/image/ImageRepresentation.java Mon Sep 14 11:46:16 2009 +0400 @@ -336,10 +336,6 @@ public native void setICMpixels(int x, int y, int w, int h, int[] lut, byte[] pix, int off, int scansize, IntegerComponentRaster ict); - - public native void setBytePixels(int x, int y, int w, int h, byte[] pix, - int off, int scansize, - ByteComponentRaster bct, int chanOff); public native int setDiffICM(int x, int y, int w, int h, int[] lut, int transPix, int numLut, IndexColorModel icm, byte[] pix, int off, int scansize, @@ -450,27 +446,17 @@ (biRaster instanceof ByteComponentRaster) && (biRaster.getNumDataElements() == 1)){ ByteComponentRaster bt = (ByteComponentRaster) biRaster; - if (w*h > 200) { - if (off == 0 && scansize == w) { - bt.putByteData(x, y, w, h, pix); - } - else { - byte[] bpix = new byte[w]; - poff = off; - for (int yoff=y; yoff < y+h; yoff++) { - System.arraycopy(pix, poff, bpix, 0, w); - bt.putByteData(x, yoff, w, 1, bpix); - poff += scansize; - } - } + if (off == 0 && scansize == w) { + bt.putByteData(x, y, w, h, pix); } else { - // Only is faster if #pixels - // Note that setBytePixels modifies the raster directly - // so we must mark it as changed afterwards - setBytePixels(x, y, w, h, pix, off, scansize, bt, - bt.getDataOffset(0)); - bt.markDirty(); + byte[] bpix = new byte[w]; + poff = off; + for (int yoff=y; yoff < y+h; yoff++) { + System.arraycopy(pix, poff, bpix, 0, w); + bt.putByteData(x, yoff, w, 1, bpix); + poff += scansize; + } } } else { diff -r 8925b5c1334b -r a9ca0ff33862 jdk/src/share/native/sun/awt/image/awt_ImageRep.c --- a/jdk/src/share/native/sun/awt/image/awt_ImageRep.c Thu Sep 10 14:15:47 2009 +0400 +++ b/jdk/src/share/native/sun/awt/image/awt_ImageRep.c Mon Sep 14 11:46:16 2009 +0400 @@ -142,84 +142,6 @@ } -JNIEXPORT void JNICALL -Java_sun_awt_image_ImageRepresentation_setBytePixels(JNIEnv *env, jclass cls, - jint x, jint y, jint w, - jint h, jbyteArray jpix, - jint off, jint scansize, - jobject jbct, - jint chanOffs) -{ - int sStride; - int pixelStride; - jobject jdata; - unsigned char *srcData; - unsigned char *dstData; - unsigned char *dataP; - unsigned char *pixP; - int i; - int j; - - - if (JNU_IsNull(env, jpix)) { - JNU_ThrowNullPointerException(env, "NullPointerException"); - return; - } - - sStride = (*env)->GetIntField(env, jbct, g_BCRscanstrID); - pixelStride = (*env)->GetIntField(env, jbct, g_BCRpixstrID); - jdata = (*env)->GetObjectField(env, jbct, g_BCRdataID); - - srcData = (unsigned char *) (*env)->GetPrimitiveArrayCritical(env, jpix, - NULL); - if (srcData == NULL) { - /* out of memory error already thrown */ - return; - } - - dstData = (unsigned char *) (*env)->GetPrimitiveArrayCritical(env, jdata, - NULL); - if (dstData == NULL) { - /* out of memory error already thrown */ - (*env)->ReleasePrimitiveArrayCritical(env, jpix, srcData, JNI_ABORT); - return; - } - - dataP = dstData + chanOffs + y*sStride + x*pixelStride; - pixP = srcData + off; - if (pixelStride == 1) { - if (sStride == scansize && scansize == w) { - memcpy(dataP, pixP, w*h); - } - else { - for (i=0; i < h; i++) { - memcpy(dataP, pixP, w); - dataP += sStride; - pixP += scansize; - } - } - } - else { - unsigned char *ydataP = dataP; - unsigned char *ypixP = pixP; - - for (i=0; i < h; i++) { - dataP = ydataP; - pixP = ypixP; - for (j=0; j < w; j++) { - *dataP = *pixP++; - dataP += pixelStride; - } - ydataP += sStride; - ypixP += scansize; - } - } - - (*env)->ReleasePrimitiveArrayCritical(env, jpix, srcData, JNI_ABORT); - (*env)->ReleasePrimitiveArrayCritical(env, jdata, dstData, JNI_ABORT); - -} - JNIEXPORT jint JNICALL Java_sun_awt_image_ImageRepresentation_setDiffICM(JNIEnv *env, jclass cls, jint x, jint y, jint w,