6804998: JRE GIF Decoding Heap Corruption [V-y6g5jlm8e1]

Reviewed-by: prr

6804998: JRE GIF Decoding Heap Corruption [V-y6g5jlm8e1]
Reviewed-by: prr
1447a514 · bae · 19b2b253 · 1447a514 · 1447a514
Showing with 14 addition and 2 deletion

src/share/classes/sun/awt/image/GifImageDecoder.java src/share/classes/sun/awt/image/GifImageDecoder.java +9 -2

src/share/native/sun/awt/image/gif/gifdecoder.c src/share/native/sun/awt/image/gif/gifdecoder.c +5 -0

未找到文件。
--- a/src/share/classes/sun/awt/image/GifImageDecoder.java
+++ b/src/share/classes/sun/awt/image/GifImageDecoder.java
@@ -585,9 +585,16 @@ public class GifImageDecoder extends ImageDecoder {
            System.out.print("Reading a " + width + " by " + height + " " +
                      (interlace ? "" : "non-") + "interlaced image...");
        }
+        int initCodeSize = ExtractByte(block, 9);
+        if (initCodeSize >= 12) {
+            if (verbose) {
+                System.out.println("Invalid initial code size: " +
+                                   initCodeSize);
+            }
+            return false;
+        }
        boolean ret = parseImage(x, y, width, height,
-                                 interlace, ExtractByte(block, 9),
+                                 interlace, initCodeSize,
                                 block, rasline, model);
        if (!ret) {

--- a/src/share/native/sun/awt/image/gif/gifdecoder.c
+++ b/src/share/native/sun/awt/image/gif/gifdecoder.c
@@ -191,6 +191,11 @@ Java_sun_awt_image_GifImageDecoder_parseImage(JNIEnv *env,
    int passht = passinc;
    int len;
+    /* We have verified the initial code size on the java layer.
+     * Here we just check bounds for particular indexes. */
+    if (freeCode >= 4096 || maxCode >= 4096) {
+        return 0;
+    }
    if (blockh == 0 || raslineh == 0
        || prefixh == 0 || suffixh == 0
        || outCodeh == 0)