6963489: ZDI-CAN-803: Sun JRE ICC Profile Device Information Tag Remote Code Execution Vulnerability
Reviewed-by: prr
--- a/jdk/src/share/native/sun/java2d/cmm/lcms/LCMS.c Wed Jun 30 16:24:37 2010 +0100
+++ b/jdk/src/share/native/sun/java2d/cmm/lcms/LCMS.c Thu Jul 01 12:04:14 2010 +0400
@@ -190,12 +190,13 @@
"sTrans.xf == NULL");
JNU_ThrowByName(env, "java/awt/color/CMMException",
"Cannot get color transform");
+ } else {
+ Disposer_AddRecord(env, disposerRef, LCMS_freeTransform, sTrans.j);
}
if (iccArray != &_iccArray[0]) {
free(iccArray);
}
- Disposer_AddRecord(env, disposerRef, LCMS_freeTransform, sTrans.j);
return sTrans.j;
}
--- a/jdk/src/share/native/sun/java2d/cmm/lcms/cmsxform.c Wed Jun 30 16:24:37 2010 +0100
+++ b/jdk/src/share/native/sun/java2d/cmm/lcms/cmsxform.c Thu Jul 01 12:04:14 2010 +0400
@@ -687,6 +687,9 @@
LPGAMMATABLE Shapes1[3];
GrayTRC = cmsReadICCGamma(hProfile, icSigGrayTRCTag);
+ if (!GrayTRC) {
+ return NULL;
+ }
FromLstarToXYZ(GrayTRC, Shapes1);
// Reversing must be done after curve translation
@@ -703,6 +706,9 @@
// Normal case
GrayTRC = cmsReadICCGammaReversed(hProfile, icSigGrayTRCTag); // Y
+ if (!GrayTRC) {
+ return NULL;
+ }
Shapes[0] = cmsDupGamma(GrayTRC);
Shapes[1] = cmsDupGamma(GrayTRC);