6823373: [ZDI-CAN-460] Java Web Start JPEG header parsing needs more scruity
Reviewed-by: igor
--- a/jdk/src/share/native/sun/awt/splashscreen/splashscreen_jpeg.c Fri May 08 15:57:33 2009 +0400
+++ b/jdk/src/share/native/sun/awt/splashscreen/splashscreen_jpeg.c Fri May 08 16:15:15 2009 +0400
@@ -139,21 +139,45 @@
splash->width = cinfo->output_width;
splash->height = cinfo->output_height;
+
+ if (!SAFE_TO_ALLOC(splash->imageFormat.depthBytes, splash->width)) {
+ return 0;
+ }
stride = splash->width * splash->imageFormat.depthBytes;
+ if (!SAFE_TO_ALLOC(stride, splash->height)) {
+ return 0;
+ }
+ if (!SAFE_TO_ALLOC(cinfo->output_width, cinfo->output_components)) {
+ return 0;
+ }
+
splash->frameCount = 1;
splash->frames = (SplashImage *) malloc(sizeof(SplashImage) *
splash->frameCount);
+ if (splash->frames == NULL) {
+ return 0;
+ }
memset(splash->frames, 0, sizeof(SplashImage) *
splash->frameCount);
+
splash->loopCount = 1;
+ splash->frames[0].delay = 0;
splash->frames[0].bitmapBits = malloc(stride * splash->height);
- splash->frames[0].delay = 0;
+ if (splash->frames[0].bitmapBits == NULL) {
+ free(splash->frames);
+ return 0;
+ }
rowStride = cinfo->output_width * cinfo->output_components;
buffer = (*cinfo->mem->alloc_sarray)
((j_common_ptr) cinfo, JPOOL_IMAGE, rowStride, 1);
+ if (buffer == NULL) {
+ free(splash->frames[0].bitmapBits);
+ free(splash->frames);
+ return 0;
+ }
initFormat(&srcFormat, 0x00FF0000, 0x0000FF00, 0x000000FF, 0x00000000);
srcFormat.byteOrder = BYTE_ORDER_LSBFIRST;