Mercurial Mercurial > jdk-sandbox / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
7013519: [parfait] Integer overflows in 2D code
authorbae
Thu, 17 Feb 2011 12:21:49 +0300
changeset 9827 add64ce324a8
parent 9826 0f553990ca93
child 9828 9c9dd9a1b11b
7013519: [parfait] Integer overflows in 2D code Reviewed-by: prr, valeriep
jdk/src/share/native/sun/awt/image/jpeg/imageioJPEG.c file | annotate | diff | comparison | revisions
jdk/src/share/native/sun/font/layout/SunLayoutEngine.cpp file | annotate | diff | comparison | revisions 
--- a/jdk/src/share/native/sun/awt/image/jpeg/imageioJPEG.c	Wed Feb 09 11:50:29 2011 +0800
+++ b/jdk/src/share/native/sun/awt/image/jpeg/imageioJPEG.c	Thu Feb 17 12:21:49 2011 +0300
@@ -1971,6 +1971,13 @@
         return data->abortFlag;
     }
 
+    if (cinfo->output_components <= 0 ||
+        cinfo->image_width > (0xffffffffu / (unsigned int)cinfo->output_components))
+    {
+        JNU_ThrowByName(env, "javax/imageio/IIOException",
+                        "Invalid number of output components");
+        return data->abortFlag;
+    }
 
     // Allocate a 1-scanline buffer
     scanLinePtr = (JSAMPROW)malloc(cinfo->image_width*cinfo->output_components);
--- a/jdk/src/share/native/sun/font/layout/SunLayoutEngine.cpp	Wed Feb 09 11:50:29 2011 +0800
+++ b/jdk/src/share/native/sun/font/layout/SunLayoutEngine.cpp	Thu Feb 17 12:21:49 2011 +0300
@@ -186,7 +186,11 @@
   jchar buffer[256];
   jchar* chars = buffer;
   if (len > 256) {
-    chars = (jchar*)malloc(len * sizeof(jchar));
+    size_t size = len * sizeof(jchar);
+    if (size / sizeof(jchar) != len) {
+      return;
+    }
+    chars = (jchar*)malloc(size);
     if (chars == 0) {
       return;
     }
jdk-sandbox