Mercurial Mercurial > jdk-sandbox / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
6804996: JWS PNG Decoding Integer Overflow [V-flrhat2ln8]
authorbae
Fri, 20 Feb 2009 13:48:32 +0300
changeset 2608 fe2af56a83d3
parent 2607 7a11e5916dda
child 2609 1db65c97bddc
6804996: JWS PNG Decoding Integer Overflow [V-flrhat2ln8] Reviewed-by: prr
jdk/src/share/native/sun/awt/splashscreen/splashscreen_gif.c file | annotate | diff | comparison | revisions
jdk/src/share/native/sun/awt/splashscreen/splashscreen_impl.h file | annotate | diff | comparison | revisions
jdk/src/share/native/sun/awt/splashscreen/splashscreen_png.c file | annotate | diff | comparison | revisions 
--- a/jdk/src/share/native/sun/awt/splashscreen/splashscreen_gif.c	Wed Feb 18 14:14:03 2009 -0800
+++ b/jdk/src/share/native/sun/awt/splashscreen/splashscreen_gif.c	Fri Feb 20 13:48:32 2009 +0300
@@ -53,10 +53,6 @@
 // convert libungif samples to our ones
 #define MAKE_QUAD_GIF(c,a) MAKE_QUAD((c).Red, (c).Green, (c).Blue, (a))
 
-#define SAFE_TO_ALLOC(c, sz)                                               \
-    (((c) > 0) && ((sz) > 0) &&                                            \
-     ((0xffffffffu / ((unsigned int)(c))) > (unsigned int)(sz)))
-
 /* stdio FILE* and memory input functions for libungif */
 int
 SplashStreamGifInputFunc(GifFileType * gif, GifByteType * buf, int n)
--- a/jdk/src/share/native/sun/awt/splashscreen/splashscreen_impl.h	Wed Feb 18 14:14:03 2009 -0800
+++ b/jdk/src/share/native/sun/awt/splashscreen/splashscreen_impl.h	Fri Feb 20 13:48:32 2009 +0300
@@ -155,6 +155,10 @@
 
 void SplashInitFrameShape(Splash * splash, int imageIndex);
 
+#define SAFE_TO_ALLOC(c, sz)                                               \
+    (((c) > 0) && ((sz) > 0) &&                                            \
+     ((0xffffffffu / ((unsigned int)(c))) > (unsigned int)(sz)))
+
 #define dbgprintf printf
 
 #endif
--- a/jdk/src/share/native/sun/awt/splashscreen/splashscreen_png.c	Wed Feb 18 14:14:03 2009 -0800
+++ b/jdk/src/share/native/sun/awt/splashscreen/splashscreen_png.c	Fri Feb 20 13:48:32 2009 +0300
@@ -103,9 +103,17 @@
 
     rowbytes = png_get_rowbytes(png_ptr, info_ptr);
 
+    if (!SAFE_TO_ALLOC(rowbytes, height)) {
+        goto done;
+    }
+
     if ((image_data = (unsigned char *) malloc(rowbytes * height)) == NULL) {
         goto done;
     }
+
+    if (!SAFE_TO_ALLOC(height, sizeof(png_bytep))) {
+        goto done;
+    }
     if ((row_pointers = (png_bytepp) malloc(height * sizeof(png_bytep)))
             == NULL) {
         goto done;
@@ -121,13 +129,28 @@
     splash->width = width;
     splash->height = height;
 
+    if (!SAFE_TO_ALLOC(splash->width, splash->imageFormat.depthBytes)) {
+        goto done;
+    }
     stride = splash->width * splash->imageFormat.depthBytes;
 
+    if (!SAFE_TO_ALLOC(splash->height, stride)) {
+        goto done;
+    }
     splash->frameCount = 1;
     splash->frames = (SplashImage *)
         malloc(sizeof(SplashImage) * splash->frameCount);
+
+    if (splash->frames == NULL) {
+        goto done;
+    }
+
     splash->loopCount = 1;
     splash->frames[0].bitmapBits = malloc(stride * splash->height);
+    if (splash->frames[0].bitmapBits == NULL) {
+        free(splash->frames);
+        goto done;
+    }
     splash->frames[0].delay = 0;
 
     /* FIXME: sort out the real format */
jdk-sandbox