# HG changeset patch
# User bae
# Date 1277971454 -14400
# Node ID f9131565859ecb8c05bce83367b2bce579b69072
# Parent  3e770ac705b6590fd221a28ab0e83193fb2149b7
6963489: ZDI-CAN-803: Sun JRE ICC Profile Device Information Tag Remote Code Execution Vulnerability
Reviewed-by: prr

diff -r 3e770ac705b6 -r f9131565859e jdk/src/share/native/sun/java2d/cmm/lcms/LCMS.c
--- a/jdk/src/share/native/sun/java2d/cmm/lcms/LCMS.c	Wed Jun 30 16:24:37 2010 +0100
+++ b/jdk/src/share/native/sun/java2d/cmm/lcms/LCMS.c	Thu Jul 01 12:04:14 2010 +0400
@@ -190,12 +190,13 @@
                                        "sTrans.xf == NULL");
         JNU_ThrowByName(env, "java/awt/color/CMMException",
                         "Cannot get color transform");
+    } else {
+        Disposer_AddRecord(env, disposerRef, LCMS_freeTransform, sTrans.j);
     }
 
     if (iccArray != &_iccArray[0]) {
         free(iccArray);
     }
-    Disposer_AddRecord(env, disposerRef, LCMS_freeTransform, sTrans.j);
     return sTrans.j;
 }
 
diff -r 3e770ac705b6 -r f9131565859e jdk/src/share/native/sun/java2d/cmm/lcms/cmsxform.c
--- a/jdk/src/share/native/sun/java2d/cmm/lcms/cmsxform.c	Wed Jun 30 16:24:37 2010 +0100
+++ b/jdk/src/share/native/sun/java2d/cmm/lcms/cmsxform.c	Thu Jul 01 12:04:14 2010 +0400
@@ -687,6 +687,9 @@
                 LPGAMMATABLE Shapes1[3];
 
                 GrayTRC = cmsReadICCGamma(hProfile, icSigGrayTRCTag);
+                if (!GrayTRC) {
+                    return NULL;
+                }
                 FromLstarToXYZ(GrayTRC, Shapes1);
 
                 // Reversing must be done after curve translation
@@ -703,6 +706,9 @@
                 // Normal case
 
                 GrayTRC = cmsReadICCGammaReversed(hProfile, icSigGrayTRCTag);   // Y
+                if (!GrayTRC) {
+                    return NULL;
+                }
 
                 Shapes[0] = cmsDupGamma(GrayTRC);
                 Shapes[1] = cmsDupGamma(GrayTRC);