# HG changeset patch # User bae # Date 1367282461 -14400 # Node ID ab42088d6e10feb0e5274eda87d13b6abc1791df # Parent 35323587f1ff0548cf0377a99e4970d01fb5051d 8012597: Better image channel verification Reviewed-by: vadim diff -r 35323587f1ff -r ab42088d6e10 jdk/src/share/classes/java/awt/image/BufferedImage.java --- a/jdk/src/share/classes/java/awt/image/BufferedImage.java Mon Apr 29 11:47:17 2013 -0400 +++ b/jdk/src/share/classes/java/awt/image/BufferedImage.java Tue Apr 30 04:41:01 2013 +0400 @@ -654,17 +654,19 @@ int csType = cs.getType(); if (csType != ColorSpace.TYPE_RGB) { if (csType == ColorSpace.TYPE_GRAY - && cm instanceof ComponentColorModel) { + && ComponentColorModel.class.equals(cm.getClass())) { // Check if this might be a child raster (fix for bug 4240596) if (sm instanceof ComponentSampleModel && ((ComponentSampleModel)sm).getPixelStride() != numBands) { imageType = TYPE_CUSTOM; } else if (raster instanceof ByteComponentRaster && + PixelInterleavedSampleModel.class.equals(sm.getClass()) && raster.getNumBands() == 1 && cm.getComponentSize(0) == 8 && ((ByteComponentRaster)raster).getPixelStride() == 1) { imageType = TYPE_BYTE_GRAY; } else if (raster instanceof ShortComponentRaster && + PixelInterleavedSampleModel.class.equals(sm.getClass()) && raster.getNumBands() == 1 && cm.getComponentSize(0) == 16 && ((ShortComponentRaster)raster).getPixelStride() == 1) { @@ -684,7 +686,8 @@ // are correct int pixSize = cm.getPixelSize(); if (iraster.getPixelStride() == 1 && - cm instanceof DirectColorModel && + DirectColorModel.class.equals(cm.getClass()) && + SinglePixelPackedSampleModel.class.equals(sm.getClass()) && (pixSize == 32 || pixSize == 24)) { // Now check on the DirectColorModel params @@ -715,16 +718,21 @@ } // if (rmask == DCM_BGR_RED_MASK && } // if (iraster.getPixelStride() == 1 } // ((raster instanceof IntegerComponentRaster) && - else if ((cm instanceof IndexColorModel) && (numBands == 1) && + else if ((IndexColorModel.class.equals(cm.getClass())) && + (numBands == 1) && (!cm.hasAlpha() || !isAlphaPre)) { IndexColorModel icm = (IndexColorModel) cm; int pixSize = icm.getPixelSize(); - if (raster instanceof BytePackedRaster) { + if (raster instanceof BytePackedRaster && + MultiPixelPackedSampleModel.class.equals(sm.getClass())) + { imageType = TYPE_BYTE_BINARY; } // if (raster instanceof BytePackedRaster) - else if (raster instanceof ByteComponentRaster) { + else if (raster instanceof ByteComponentRaster && + PixelInterleavedSampleModel.class.equals(sm.getClass())) + { ByteComponentRaster braster = (ByteComponentRaster) raster; if (braster.getPixelStride() == 1 && pixSize <= 8) { imageType = TYPE_BYTE_INDEXED; @@ -732,7 +740,8 @@ } } // else if (cm instanceof IndexColorModel) && (numBands == 1)) else if ((raster instanceof ShortComponentRaster) - && (cm instanceof DirectColorModel) + && (DirectColorModel.class.equals(cm.getClass())) + && (SinglePixelPackedSampleModel.class.equals(sm.getClass())) && (numBands == 3) && !cm.hasAlpha()) { @@ -779,12 +788,14 @@ braster.getPixelStride() == numBands && offs[0] == numBands-1 && offs[1] == numBands-2 && - offs[2] == numBands-3) + offs[2] == numBands-3 && + ComponentColorModel.class.equals(ccm.getClass()) && + PixelInterleavedSampleModel.class.equals(csm.getClass())) { - if (numBands == 3) { + if (numBands == 3 && !ccm.hasAlpha()) { imageType = TYPE_3BYTE_BGR; } - else if (offs[3] == 0) { + else if (offs[3] == 0 && ccm.hasAlpha()) { imageType = (isAlphaPre ? TYPE_4BYTE_ABGR_PRE : TYPE_4BYTE_ABGR); diff -r 35323587f1ff -r ab42088d6e10 jdk/src/share/native/sun/awt/image/awt_parseImage.c --- a/jdk/src/share/native/sun/awt/image/awt_parseImage.c Mon Apr 29 11:47:17 2013 -0400 +++ b/jdk/src/share/native/sun/awt/image/awt_parseImage.c Tue Apr 30 04:41:01 2013 +0400 @@ -396,10 +396,39 @@ return 1; } +static int getColorModelType(JNIEnv *env, jobject jcmodel) { + int type = UNKNOWN_CM_TYPE; + + if ((*env)->IsInstanceOf(env, jcmodel, + (*env)->FindClass(env, "java/awt/image/IndexColorModel"))) + { + type = INDEX_CM_TYPE; + } else if ((*env)->IsInstanceOf(env, jcmodel, + (*env)->FindClass(env, "java/awt/image/PackedColorModel"))) + { + if ((*env)->IsInstanceOf(env, jcmodel, + (*env)->FindClass(env, "java/awt/image/DirectColorModel"))) { + type = DIRECT_CM_TYPE; + } + else { + type = PACKED_CM_TYPE; + } + } + else if ((*env)->IsInstanceOf(env, jcmodel, + (*env)->FindClass(env, "java/awt/image/ComponentColorModel"))) + { + type = COMPONENT_CM_TYPE; + } + + return type; +} + int awt_parseColorModel (JNIEnv *env, jobject jcmodel, int imageType, ColorModelS_t *cmP) { /*jmethodID jID; */ jobject jnBits; + jsize nBitsLength; + int i; static jobject s_jdefCM = NULL; @@ -421,15 +450,55 @@ cmP->transparency = (*env)->GetIntField(env, jcmodel, g_CMtransparencyID); + jnBits = (*env)->GetObjectField(env, jcmodel, g_CMnBitsID); + if (jnBits == NULL) { + JNU_ThrowNullPointerException(env, "null nBits structure in CModel"); + return -1; + } + + nBitsLength = (*env)->GetArrayLength(env, jnBits); + if (nBitsLength != cmP->numComponents) { + // invalid number of components? + return -1; + } + + cmP->nBits = NULL; + if (SAFE_TO_ALLOC_2(cmP->numComponents, sizeof(jint))) { + cmP->nBits = (jint *)malloc(cmP->numComponents * sizeof(jint)); + } + + if (cmP->nBits == NULL){ + JNU_ThrowOutOfMemoryError(env, "Out of memory"); + return -1; + } + (*env)->GetIntArrayRegion(env, jnBits, 0, cmP->numComponents, + cmP->nBits); + cmP->maxNbits = 0; + for (i=0; i < cmP->numComponents; i++) { + if (cmP->maxNbits < cmP->nBits[i]) { + cmP->maxNbits = cmP->nBits[i]; + } + } + + cmP->is_sRGB = (*env)->GetBooleanField(env, cmP->jcmodel, g_CMis_sRGBID); + + cmP->csType = (*env)->GetIntField(env, cmP->jcmodel, g_CMcsTypeID); + + cmP->cmType = getColorModelType(env, jcmodel); + + cmP->isDefaultCM = FALSE; + cmP->isDefaultCompatCM = FALSE; + + /* look for standard cases */ if (imageType == java_awt_image_BufferedImage_TYPE_INT_ARGB) { cmP->isDefaultCM = TRUE; cmP->isDefaultCompatCM = TRUE; } else if (imageType == java_awt_image_BufferedImage_TYPE_INT_ARGB_PRE || - imageType == java_awt_image_BufferedImage_TYPE_INT_RGB) { - cmP->isDefaultCompatCM = TRUE; - } else if (imageType == java_awt_image_BufferedImage_TYPE_INT_BGR || + imageType == java_awt_image_BufferedImage_TYPE_INT_RGB || + imageType == java_awt_image_BufferedImage_TYPE_INT_BGR || imageType == java_awt_image_BufferedImage_TYPE_4BYTE_ABGR || - imageType == java_awt_image_BufferedImage_TYPE_4BYTE_ABGR_PRE){ + imageType == java_awt_image_BufferedImage_TYPE_4BYTE_ABGR_PRE) + { cmP->isDefaultCompatCM = TRUE; } else { @@ -450,50 +519,25 @@ cmP->isDefaultCompatCM = cmP->isDefaultCM; } + /* check whether image attributes correspond to default cm */ if (cmP->isDefaultCompatCM) { - cmP->cmType = DIRECT_CM_TYPE; - cmP->nBits = (jint *) malloc(sizeof(jint)*4); - cmP->nBits[0] = cmP->nBits[1] = cmP->nBits[2] = cmP->nBits[3] = 8; - cmP->maxNbits = 8; - cmP->is_sRGB = TRUE; - cmP->csType = java_awt_color_ColorSpace_TYPE_RGB; - - return 1; - } + if (cmP->csType != java_awt_color_ColorSpace_TYPE_RGB || + !cmP->is_sRGB) + { + return -1; + } - jnBits = (*env)->GetObjectField(env, jcmodel, g_CMnBitsID); - if (jnBits == NULL) { - JNU_ThrowNullPointerException(env, "null nBits structure in CModel"); - return -1; - } - - cmP->nBits = NULL; - if (SAFE_TO_ALLOC_2(cmP->numComponents, sizeof(jint))) { - cmP->nBits = (jint *)malloc(cmP->numComponents * sizeof(jint)); - } - if (cmP->nBits == NULL){ - JNU_ThrowOutOfMemoryError(env, "Out of memory"); - return -1; - } - (*env)->GetIntArrayRegion(env, jnBits, 0, cmP->numComponents, - cmP->nBits); - cmP->maxNbits = 0; - for (i=0; i < cmP->numComponents; i++) { - if (cmP->maxNbits < cmP->nBits[i]) { - cmP->maxNbits = cmP->nBits[i]; + for (i = 0; i < cmP->numComponents; i++) { + if (cmP->nBits[i] != 8) { + return -1; + } } } - cmP->is_sRGB = (*env)->GetBooleanField(env, cmP->jcmodel, g_CMis_sRGBID); - - cmP->csType = (*env)->GetIntField(env, cmP->jcmodel, g_CMcsTypeID); - - /* Find out what type of colol model */ + /* Get index color model attributes */ if (imageType == java_awt_image_BufferedImage_TYPE_BYTE_INDEXED || - (*env)->IsInstanceOf(env, jcmodel, - (*env)->FindClass(env, "java/awt/image/IndexColorModel"))) + cmP->cmType == INDEX_CM_TYPE) { - cmP->cmType = INDEX_CM_TYPE; cmP->transIdx = (*env)->GetIntField(env, jcmodel, g_ICMtransIdxID); cmP->mapSize = (*env)->GetIntField(env, jcmodel, g_ICMmapSizeID); cmP->jrgb = (*env)->GetObjectField(env, jcmodel, g_ICMrgbID); @@ -519,31 +563,6 @@ } } } - else if ((*env)->IsInstanceOf(env, jcmodel, - (*env)->FindClass(env, "java/awt/image/PackedColorModel"))) - { - if ((*env)->IsInstanceOf(env, jcmodel, - (*env)->FindClass(env, "java/awt/image/DirectColorModel"))){ - cmP->cmType = DIRECT_CM_TYPE; - } - else { - cmP->cmType = PACKED_CM_TYPE; - } - } - else if ((*env)->IsInstanceOf(env, jcmodel, - (*env)->FindClass(env, "java/awt/image/ComponentColorModel"))) - { - cmP->cmType = COMPONENT_CM_TYPE; - } - else if ((*env)->IsInstanceOf(env, jcmodel, - (*env)->FindClass(env, "java/awt/image/PackedColorModel"))) - { - cmP->cmType = PACKED_CM_TYPE; - } - else { - cmP->cmType = UNKNOWN_CM_TYPE; - } - return 1; } @@ -648,6 +667,13 @@ ColorModelS_t *cmodelP = &imageP->cmodel; int imageType = imageP->imageType; + // check whether raster and color model are compatible + if (cmodelP->numComponents != rasterP->numBands) { + if (cmodelP->cmType != INDEX_CM_TYPE) { + return -1; + } + } + hintP->numChans = imageP->cmodel.numComponents; hintP->colorOrder = NULL; if (SAFE_TO_ALLOC_2(hintP->numChans, sizeof(int))) { @@ -1139,6 +1165,10 @@ jsm = (*env)->GetObjectField(env, rasterP->jraster, g_RasterSampleModelID); jdatabuffer = (*env)->GetObjectField(env, rasterP->jraster, g_RasterDataBufferID); + if (band >= numBands) { + JNU_ThrowInternalError(env, "Band out of range."); + return -1; + } /* Here is the generic code */ jdata = (*env)->NewIntArray(env, maxBytes*rasterP->numBands*maxLines); if (JNU_IsNull(env, jdata)) { @@ -1147,11 +1177,6 @@ } if (band >= 0) { int dOff; - if (band >= numBands) { - (*env)->DeleteLocalRef(env, jdata); - JNU_ThrowInternalError(env, "Band out of range."); - return -1; - } off = 0; for (y=0; y < h; y+=maxLines) { if (y+maxLines > h) { diff -r 35323587f1ff -r ab42088d6e10 jdk/src/share/native/sun/awt/medialib/awt_ImagingLib.c --- a/jdk/src/share/native/sun/awt/medialib/awt_ImagingLib.c Mon Apr 29 11:47:17 2013 -0400 +++ b/jdk/src/share/native/sun/awt/medialib/awt_ImagingLib.c Tue Apr 30 04:41:01 2013 +0400 @@ -2604,6 +2604,41 @@ return 0; } +#define ERR_BAD_IMAGE_LAYOUT (-2) + +#define CHECK_DST_ARRAY(start_offset, elements_per_pixel) \ + do { \ + int offset = (start_offset); \ + int lastScanOffset; \ + \ + if (!SAFE_TO_MULT(rasterP->scanlineStride, \ + (rasterP->height - 1))) \ + { \ + return ERR_BAD_IMAGE_LAYOUT; \ + } \ + lastScanOffset = rasterP->scanlineStride * \ + (rasterP->height - 1); \ + \ + if (!SAFE_TO_ADD(offset, lastScanOffset)) { \ + return ERR_BAD_IMAGE_LAYOUT; \ + } \ + lastScanOffset += offset; \ + \ + if (!SAFE_TO_MULT((elements_per_pixel), rasterP->width)) { \ + return ERR_BAD_IMAGE_LAYOUT; \ + } \ + offset = (elements_per_pixel) * rasterP->width; \ + \ + if (!SAFE_TO_ADD(offset, lastScanOffset)) { \ + return ERR_BAD_IMAGE_LAYOUT; \ + } \ + lastScanOffset += offset; \ + \ + if (dataArrayLength < lastScanOffset) { \ + return ERR_BAD_IMAGE_LAYOUT; \ + } \ + } while(0); \ + static int storeImageArray(JNIEnv *env, BufImageS_t *srcP, BufImageS_t *dstP, mlib_image *mlibImP) { @@ -2611,6 +2646,7 @@ unsigned char *cmDataP, *dataP, *cDataP; HintS_t *hintP = &dstP->hints; RasterS_t *rasterP = &dstP->raster; + jsize dataArrayLength = (*env)->GetArrayLength(env, rasterP->jdata); int y; /* REMIND: Store mlib data type? */ @@ -2629,14 +2665,15 @@ if (hintP->packing == BYTE_INTERLEAVED) { /* Write it back to the destination */ + CHECK_DST_ARRAY(hintP->channelOffset, hintP->numChans); cmDataP = (unsigned char *) mlib_ImageGetData(mlibImP); mStride = mlib_ImageGetStride(mlibImP); dataP = (unsigned char *)(*env)->GetPrimitiveArrayCritical(env, rasterP->jdata, NULL); if (dataP == NULL) return 0; - cDataP = dataP + hintP->dataOffset; + cDataP = dataP + hintP->channelOffset; for (y=0; y < rasterP->height; - y++, cmDataP += mStride, cDataP += hintP->sStride) + y++, cmDataP += mStride, cDataP += rasterP->scanlineStride) { memcpy(cDataP, cmDataP, rasterP->width*hintP->numChans); } @@ -2647,13 +2684,14 @@ /* Write it back to the destination */ unsigned short *sdataP, *sDataP; unsigned short *smDataP = (unsigned short *)mlib_ImageGetData(mlibImP); + CHECK_DST_ARRAY(hintP->channelOffset, hintP->numChans); mStride = mlib_ImageGetStride(mlibImP); sdataP = (unsigned short *)(*env)->GetPrimitiveArrayCritical(env, rasterP->jdata, NULL); if (sdataP == NULL) return -1; - sDataP = sdataP + hintP->dataOffset; + sDataP = sdataP + hintP->channelOffset; for (y=0; y < rasterP->height; - y++, smDataP += mStride, sDataP += hintP->sStride) + y++, smDataP += mStride, sDataP += rasterP->scanlineStride) { memcpy(sDataP, smDataP, rasterP->width*hintP->numChans); } @@ -3446,7 +3484,8 @@ unsigned char *inP = inDataP; unsigned char *lineOutP, *outP; jarray jOutDataP; - jint *outDataP; + jsize dataArrayLength; + unsigned char *outDataP; int loff[MAX_NUMBANDS], roff[MAX_NUMBANDS]; if (rasterP->numBands > MAX_NUMBANDS) { @@ -3455,11 +3494,18 @@ /* Grab data ptr, strides, offsets from raster */ jOutDataP = (*env)->GetObjectField(env, rasterP->jraster, g_BCRdataID); + if (JNU_IsNull(env, jOutDataP)) { + return -1; + } + + dataArrayLength = (*env)->GetArrayLength(env, jOutDataP); + CHECK_DST_ARRAY(rasterP->chanOffsets[0], 1); + outDataP = (*env)->GetPrimitiveArrayCritical(env, jOutDataP, 0); if (outDataP == NULL) { return -1; } - lineOutP = (unsigned char *)outDataP + rasterP->chanOffsets[0]; + lineOutP = outDataP + rasterP->chanOffsets[0]; if (component < 0) { for (c=0; c < rasterP->numBands; c++) { @@ -3514,7 +3560,8 @@ unsigned char *inP = inDataP; unsigned short *lineOutP, *outP; jarray jOutDataP; - jint *outDataP; + jsize dataArrayLength; + unsigned short *outDataP; int loff[MAX_NUMBANDS], roff[MAX_NUMBANDS]; if (rasterP->numBands > MAX_NUMBANDS) { @@ -3523,11 +3570,18 @@ /* Grab data ptr, strides, offsets from raster */ jOutDataP = (*env)->GetObjectField(env, rasterP->jraster, g_SCRdataID); + if (JNU_IsNull(env, jOutDataP)) { + return -1; + } + + dataArrayLength = (*env)->GetArrayLength(env, jOutDataP); + CHECK_DST_ARRAY(rasterP->chanOffsets[0], 1); + outDataP = (*env)->GetPrimitiveArrayCritical(env, jOutDataP, 0); if (outDataP == NULL) { return -1; } - lineOutP = (unsigned short *)outDataP + rasterP->chanOffsets[0]; + lineOutP = outDataP + rasterP->chanOffsets[0]; if (component < 0) { for (c=0; c < rasterP->numBands; c++) { @@ -3582,7 +3636,8 @@ unsigned char *inP = inDataP; unsigned int *lineOutP, *outP; jarray jOutDataP; - jint *outDataP; + jsize dataArrayLength; + unsigned int *outDataP; int loff[MAX_NUMBANDS], roff[MAX_NUMBANDS]; if (rasterP->numBands > MAX_NUMBANDS) { @@ -3591,11 +3646,18 @@ /* Grab data ptr, strides, offsets from raster */ jOutDataP = (*env)->GetObjectField(env, rasterP->jraster, g_ICRdataID); + if (JNU_IsNull(env, jOutDataP)) { + return -1; + } + + dataArrayLength = (*env)->GetArrayLength(env, jOutDataP); + CHECK_DST_ARRAY(rasterP->chanOffsets[0], 1); + outDataP = (*env)->GetPrimitiveArrayCritical(env, jOutDataP, 0); if (outDataP == NULL) { return -1; } - lineOutP = (unsigned int *)outDataP + rasterP->chanOffsets[0]; + lineOutP = outDataP + rasterP->chanOffsets[0]; if (component < 0) { for (c=0; c < rasterP->numBands; c++) { @@ -3652,7 +3714,8 @@ unsigned char *inP = inDataP; unsigned char *lineOutP, *outP; jarray jOutDataP; - jint *outDataP; + jsize dataArrayLength; + unsigned char *outDataP; int loff[MAX_NUMBANDS], roff[MAX_NUMBANDS]; int a = rasterP->numBands - 1; @@ -3662,11 +3725,18 @@ /* Grab data ptr, strides, offsets from raster */ jOutDataP = (*env)->GetObjectField(env, rasterP->jraster, g_BCRdataID); + if (JNU_IsNull(env, jOutDataP)) { + return -1; + } + + dataArrayLength = (*env)->GetArrayLength(env, jOutDataP); + CHECK_DST_ARRAY(rasterP->chanOffsets[0], 1); + outDataP = (*env)->GetPrimitiveArrayCritical(env, jOutDataP, 0); if (outDataP == NULL) { return -1; } - lineOutP = (unsigned char *)outDataP + rasterP->chanOffsets[0]; + lineOutP = outDataP + rasterP->chanOffsets[0]; if (component < 0) { for (c=0; c < rasterP->numBands; c++) { @@ -3742,7 +3812,8 @@ unsigned char *inP = inDataP; unsigned short *lineOutP, *outP; jarray jOutDataP; - jint *outDataP; + jsize dataArrayLength; + unsigned short *outDataP; int loff[MAX_NUMBANDS], roff[MAX_NUMBANDS]; int a = rasterP->numBands - 1; @@ -3752,11 +3823,17 @@ /* Grab data ptr, strides, offsets from raster */ jOutDataP = (*env)->GetObjectField(env, rasterP->jraster, g_SCRdataID); + if (JNU_IsNull(env, jOutDataP)) { + return -1; + } + dataArrayLength = (*env)->GetArrayLength(env, jOutDataP); + CHECK_DST_ARRAY(rasterP->chanOffsets[0], 1); + outDataP = (*env)->GetPrimitiveArrayCritical(env, jOutDataP, 0); if (outDataP == NULL) { return -1; } - lineOutP = (unsigned short *)outDataP + rasterP->chanOffsets[0]; + lineOutP = outDataP + rasterP->chanOffsets[0]; if (component < 0) { for (c=0; c < rasterP->numBands; c++) { @@ -3832,7 +3909,8 @@ unsigned char *inP = inDataP; unsigned int *lineOutP, *outP; jarray jOutDataP; - jint *outDataP; + jsize dataArrayLength; + unsigned int *outDataP; int loff[MAX_NUMBANDS], roff[MAX_NUMBANDS]; int a = rasterP->numBands - 1; @@ -3842,11 +3920,18 @@ /* Grab data ptr, strides, offsets from raster */ jOutDataP = (*env)->GetObjectField(env, rasterP->jraster, g_ICRdataID); + if (JNU_IsNull(env, jOutDataP)) { + return -1; + } + + dataArrayLength = (*env)->GetArrayLength(env, jOutDataP); + CHECK_DST_ARRAY(rasterP->chanOffsets[0], 1); + outDataP = (*env)->GetPrimitiveArrayCritical(env, jOutDataP, 0); if (outDataP == NULL) { return -1; } - lineOutP = (unsigned int *)outDataP + rasterP->chanOffsets[0]; + lineOutP = outDataP + rasterP->chanOffsets[0]; if (component < 0) { for (c=0; c < rasterP->numBands; c++) {