6872357: JRE AWT setDifflCM vulnerable to Stack Overflow
authorbae
Thu, 10 Sep 2009 12:50:09 +0400
changeset 4202 20061d84dd36
parent 4201 b3906ffdbcd6
child 4203 059fe9142d1c
6872357: JRE AWT setDifflCM vulnerable to Stack Overflow Reviewed-by: prr, hawtin
jdk/src/share/native/sun/awt/image/awt_ImageRep.c
--- a/jdk/src/share/native/sun/awt/image/awt_ImageRep.c	Thu Sep 10 12:26:34 2009 +0400
+++ b/jdk/src/share/native/sun/awt/image/awt_ImageRep.c	Thu Sep 10 12:50:09 2009 +0400
@@ -266,6 +266,13 @@
     jnewlut = (*env)->GetObjectField(env, jicm, g_ICMrgbID);
     mapSize = (*env)->GetIntField(env, jicm, g_ICMmapSizeID);
 
+    if (numLut < 0 || numLut > 256 || mapSize < 0 || mapSize > 256) {
+        /* Ether old or new ICM has a palette that exceeds capacity
+           of byte data type, so we have to convert the image data
+           to default representation.
+        */
+        return 0;
+    }
     srcLUT = (unsigned int *) (*env)->GetPrimitiveArrayCritical(env, jlut,
                                                                 NULL);
     if (srcLUT == NULL) {