jdk-sandbox: changeset 2610:9856ea68e32b

--- a/jdk/src/share/classes/sun/awt/image/GifImageDecoder.java	Tue Mar 03 16:10:37 2009 -0800
+++ b/jdk/src/share/classes/sun/awt/image/GifImageDecoder.java	Thu Mar 05 19:36:51 2009 +0300
@@ -585,9 +585,16 @@
             System.out.print("Reading a " + width + " by " + height + " " +
                       (interlace ? "" : "non-") + "interlaced image...");
         }
-
+        int initCodeSize = ExtractByte(block, 9);
+        if (initCodeSize >= 12) {
+            if (verbose) {
+                System.out.println("Invalid initial code size: " +
+                                   initCodeSize);
+            }
+            return false;
+        }
         boolean ret = parseImage(x, y, width, height,
-                                 interlace, ExtractByte(block, 9),
+                                 interlace, initCodeSize,
                                  block, rasline, model);
 
         if (!ret) {

--- a/jdk/src/share/native/sun/awt/image/gif/gifdecoder.c	Tue Mar 03 16:10:37 2009 -0800
+++ b/jdk/src/share/native/sun/awt/image/gif/gifdecoder.c	Thu Mar 05 19:36:51 2009 +0300
@@ -191,6 +191,11 @@
     int passht = passinc;
     int len;
 
+    /* We have verified the initial code size on the java layer.
+     * Here we just check bounds for particular indexes. */
+    if (freeCode >= 4096 || maxCode >= 4096) {
+        return 0;
+    }
     if (blockh == 0 || raslineh == 0
         || prefixh == 0 || suffixh == 0
         || outCodeh == 0)

author	bae
	Thu, 05 Mar 2009 19:36:51 +0300
changeset 2610	9856ea68e32b
parent 2609	1db65c97bddc
child 2611	c22bf553c819

jdk/src/share/classes/sun/awt/image/GifImageDecoder.java		file \| annotate \| diff \| comparison \| revisions
jdk/src/share/native/sun/awt/image/gif/gifdecoder.c		file \| annotate \| diff \| comparison \| revisions