6872357: JRE AWT setDifflCM vulnerable to Stack Overflow
Reviewed-by: prr, hawtin
--- a/jdk/src/share/native/sun/awt/image/awt_ImageRep.c Thu Sep 10 12:26:34 2009 +0400
+++ b/jdk/src/share/native/sun/awt/image/awt_ImageRep.c Thu Sep 10 12:50:09 2009 +0400
@@ -266,6 +266,13 @@
jnewlut = (*env)->GetObjectField(env, jicm, g_ICMrgbID);
mapSize = (*env)->GetIntField(env, jicm, g_ICMmapSizeID);
+ if (numLut < 0 || numLut > 256 || mapSize < 0 || mapSize > 256) {
+ /* Ether old or new ICM has a palette that exceeds capacity
+ of byte data type, so we have to convert the image data
+ to default representation.
+ */
+ return 0;
+ }
srcLUT = (unsigned int *) (*env)->GetPrimitiveArrayCritical(env, jlut,
NULL);
if (srcLUT == NULL) {