--- a/jdk/src/share/classes/com/sun/imageio/plugins/jpeg/JPEGImageReader.java Tue May 07 13:37:03 2013 -0700
+++ b/jdk/src/share/classes/com/sun/imageio/plugins/jpeg/JPEGImageReader.java Thu May 09 09:52:55 2013 -0700
@@ -1165,6 +1165,11 @@
target = imRas;
}
int [] bandSizes = target.getSampleModel().getSampleSize();
+ for (int i = 0; i < bandSizes.length; i++) {
+ if (bandSizes[i] <= 0 || bandSizes[i] > 8) {
+ throw new IIOException("Illegal band size: should be 0 < size <= 8");
+ }
+ }
/*
* If the process is sequential, and we have restart markers,
--- a/jdk/src/share/classes/com/sun/imageio/plugins/jpeg/JPEGImageWriter.java Tue May 07 13:37:03 2013 -0700
+++ b/jdk/src/share/classes/com/sun/imageio/plugins/jpeg/JPEGImageWriter.java Thu May 09 09:52:55 2013 -0700
@@ -495,8 +495,8 @@
// handle <= 8-bit samples. We now check the band sizes and throw
// an exception for images, such as USHORT_GRAY, with > 8 bits
// per sample.
- if (bandSizes[i] > 8) {
- throw new IIOException("Sample size must be <= 8");
+ if (bandSizes[i] <= 0 || bandSizes[i] > 8) {
+ throw new IIOException("Illegal band size: should be 0 < size <= 8");
}
// 4450894 part 2: We expand IndexColorModel images to full 24-
// or 32-bit in grabPixels() for each scanline. For indexed
--- a/jdk/src/share/native/sun/awt/image/jpeg/imageioJPEG.c Tue May 07 13:37:03 2013 -0700
+++ b/jdk/src/share/native/sun/awt/image/jpeg/imageioJPEG.c Thu May 09 09:52:55 2013 -0700
@@ -2675,6 +2675,15 @@
bandSize = (*env)->GetIntArrayElements(env, bandSizes, NULL);
for (i = 0; i < numBands; i++) {
+ if (bandSize[i] <= 0 || bandSize[i] > JPEG_BAND_SIZE) {
+ (*env)->ReleaseIntArrayElements(env, bandSizes,
+ bandSize, JNI_ABORT);
+ JNU_ThrowByName(env, "javax/imageio/IIOException", "Invalid Image");
+ return JNI_FALSE;;
+ }
+ }
+
+ for (i = 0; i < numBands; i++) {
if (bandSize[i] != JPEG_BAND_SIZE) {
if (scale == NULL) {
scale = (UINT8**) calloc(numBands, sizeof(UINT8*));