6899653: Sun Java Runtime CMM readMabCurveData Buffer Overflow Vulnerability
Reviewed-by: prr, hawtin
--- a/jdk/src/share/native/sun/java2d/cmm/lcms/cmsio1.c Wed Feb 17 13:32:26 2010 +0300
+++ b/jdk/src/share/native/sun/java2d/cmm/lcms/cmsio1.c Fri Feb 19 22:30:52 2010 +0300
@@ -1433,6 +1433,9 @@
// If is in memory, the LUT is already there, so throw a copy
if (Icc -> TagPtrs[n]) {
+ if (!_cmsValidateLUT((LPLUT) Icc ->TagPtrs[n])) {
+ return NULL;
+ }
return cmsDupLUT((LPLUT) Icc ->TagPtrs[n]);
}
--- a/jdk/src/share/native/sun/java2d/cmm/lcms/cmsxform.c Wed Feb 17 13:32:26 2010 +0300
+++ b/jdk/src/share/native/sun/java2d/cmm/lcms/cmsxform.c Fri Feb 19 22:30:52 2010 +0300
@@ -1969,6 +1969,10 @@
goto ErrorCleanup;
}
+ if (Transforms[i] == NULL) {
+ cmsSignalError(LCMS_ERRC_ABORTED, "cmsCreateMultiprofileTransform: unable to create transform");
+ goto ErrorCleanup;
+ }
CurrentColorSpace = ColorSpaceOut;
}