Mercurial Mercurial > jdk-sandbox / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
8058248: LittleCMS: Missing checks for NULL returns from memory allocation
authorprr
Tue, 16 Sep 2014 09:26:06 -0700
changeset 26747 2a4b66b4d50a
parent 26746 67d075b319c1
child 26748 fba66a2e8961
8058248: LittleCMS: Missing checks for NULL returns from memory allocation Reviewed-by: bae, jchen, mschoene
jdk/src/java.desktop/share/native/liblcms/cmscgats.c file | annotate | diff | comparison | revisions
jdk/src/java.desktop/share/native/liblcms/cmsio0.c file | annotate | diff | comparison | revisions
jdk/src/java.desktop/share/native/liblcms/cmsopt.c file | annotate | diff | comparison | revisions
jdk/src/java.desktop/share/native/liblcms/cmstypes.c file | annotate | diff | comparison | revisions 
--- a/jdk/src/java.desktop/share/native/liblcms/cmscgats.c	Mon Sep 15 09:15:21 2014 -0700
+++ b/jdk/src/java.desktop/share/native/liblcms/cmscgats.c	Tue Sep 16 09:26:06 2014 -0700
@@ -2334,6 +2334,7 @@
 
     it8 = (cmsIT8*) hIT8;
     it8 ->MemoryBlock = (char*) _cmsMalloc(ContextID, len + 1);
+    if (it8 ->MemoryBlock == NULL) return NULL;
 
     strncpy(it8 ->MemoryBlock, (const char*) Ptr, len);
     it8 ->MemoryBlock[len] = 0;
--- a/jdk/src/java.desktop/share/native/liblcms/cmsio0.c	Mon Sep 15 09:15:21 2014 -0700
+++ b/jdk/src/java.desktop/share/native/liblcms/cmsio0.c	Tue Sep 16 09:26:06 2014 -0700
@@ -1167,34 +1167,6 @@
     return cmsOpenProfileFromMemTHR(NULL, MemPtr, dwSize);
 }
 
-static
-cmsBool SanityCheck(_cmsICCPROFILE* profile)
-{
-    cmsIOHANDLER* io;
-
-    if (!profile) {
-        return FALSE;
-    }
-
-    io = profile->IOhandler;
-    if (!io) {
-        return FALSE;
-    }
-
-    if (!io->Seek ||
-        !(io->Seek==NULLSeek || io->Seek==MemorySeek || io->Seek==FileSeek))
-    {
-        return FALSE;
-    }
-    if (!io->Read ||
-        !(io->Read==NULLRead || io->Read==MemoryRead || io->Read==FileRead))
-    {
-        return FALSE;
-    }
-
-    return TRUE;
-}
-
 // Dump tag contents. If the profile is being modified, untouched tags are copied from FileOrig
 static
 cmsBool SaveTags(_cmsICCPROFILE* Icc, _cmsICCPROFILE* FileOrig)
@@ -1225,7 +1197,7 @@
 
             // Reach here if we are copying a tag from a disk-based ICC profile which has not been modified by user.
             // In this case a blind copy of the block data is performed
-            if (SanityCheck(FileOrig) && Icc -> TagOffsets[i]) {
+            if (FileOrig != NULL && FileOrig->IOhandler != NULL && Icc -> TagOffsets[i]) {
 
                 cmsUInt32Number TagSize   = FileOrig -> TagSizes[i];
                 cmsUInt32Number TagOffset = FileOrig -> TagOffsets[i];
@@ -1880,6 +1852,7 @@
 {
     _cmsICCPROFILE* Icc = (_cmsICCPROFILE*) hProfile;
     int i;
+    cmsBool ret = TRUE;
 
     if (!_cmsLockMutex(Icc->ContextID, Icc ->UsrMutex)) return 0;
 
@@ -1895,10 +1868,11 @@
 
     // Keep a copy of the block
     Icc ->TagPtrs[i]  = _cmsDupMem(Icc ->ContextID, data, Size);
+    if (!Icc ->TagPtrs[i]) ret = FALSE;
     Icc ->TagSizes[i] = Size;
 
     _cmsUnlockMutex(Icc->ContextID, Icc ->UsrMutex);
-    return TRUE;
+    return ret;
 }
 
 // Using this function you can collapse several tag entries to the same block in the profile
--- a/jdk/src/java.desktop/share/native/liblcms/cmsopt.c	Mon Sep 15 09:15:21 2014 -0700
+++ b/jdk/src/java.desktop/share/native/liblcms/cmsopt.c	Tue Sep 16 09:26:06 2014 -0700
@@ -1181,14 +1181,28 @@
 void* CurvesDup(cmsContext ContextID, const void* ptr)
 {
     Curves16Data* Data = _cmsDupMem(ContextID, ptr, sizeof(Curves16Data));
-    int i;
+    int i, j;
 
     if (Data == NULL) return NULL;
 
     Data ->Curves = _cmsDupMem(ContextID, Data ->Curves, Data ->nCurves * sizeof(cmsUInt16Number*));
+    if (Data -> Curves == NULL) {
+        _cmsFree(ContextID, Data);
+        return NULL;
+    }
 
     for (i=0; i < Data -> nCurves; i++) {
         Data ->Curves[i] = _cmsDupMem(ContextID, Data ->Curves[i], Data -> nElements * sizeof(cmsUInt16Number));
+        if (Data->Curves[i] == NULL) {
+
+            for (j=0; j < i; j++) {
+                _cmsFree(ContextID, Data->Curves[j]);
+            }
+            _cmsFree(ContextID, Data->Curves);
+            _cmsFree(ContextID, Data);
+            return NULL;
+        }
+
     }
 
     return (void*) Data;
--- a/jdk/src/java.desktop/share/native/liblcms/cmstypes.c	Mon Sep 15 09:15:21 2014 -0700
+++ b/jdk/src/java.desktop/share/native/liblcms/cmstypes.c	Tue Sep 16 09:26:06 2014 -0700
@@ -3548,6 +3548,7 @@
     if (n ->Desc == NULL) return NULL;
 
     ASCIIString = (char*) _cmsMalloc(self ->ContextID, SizeOfTag + 1);
+    if (ASCIIString == NULL) return NULL;
     if (io ->Read(io, ASCIIString, sizeof(char), SizeOfTag) != SizeOfTag) return NULL;
     ASCIIString[SizeOfTag] = 0;
     cmsMLUsetASCII(n ->Desc, cmsNoLanguage, cmsNoCountry, ASCIIString);
@@ -3575,6 +3576,7 @@
     // Now comes the text. The length is specified by the tag size
     TextSize = cmsMLUgetASCII(Value ->Desc, cmsNoLanguage, cmsNoCountry, NULL, 0);
     Text     = (char*) _cmsMalloc(self ->ContextID, TextSize);
+    if (Text == NULL) return FALSE;
     if (cmsMLUgetASCII(Value ->Desc, cmsNoLanguage, cmsNoCountry, Text, TextSize) != TextSize) return FALSE;
 
     if (!io ->Write(io, TextSize, Text)) return FALSE;
@@ -3672,6 +3674,7 @@
 
     TextSize = cmsMLUgetASCII(mlu, "PS", Section, NULL, 0);
     Text     = (char*) _cmsMalloc(self ->ContextID, TextSize);
+    if (Text == NULL) return FALSE;
 
     if (!_cmsWriteUInt32Number(io, TextSize)) return FALSE;
jdk-sandbox