Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openanolis
dragonwell8_jdk
提交
32c95ad6
D
dragonwell8_jdk
项目概览
openanolis
/
dragonwell8_jdk
通知
4
Star
2
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
D
dragonwell8_jdk
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
32c95ad6
编写于
6月 30, 2010
作者:
B
bae
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
6963023: ZDI-CAN-809: Sun JRE JPEGImageWriter.writeImage Remote Code Execution Vulnerability
Reviewed-by: prr
上级
73c6f8a0
变更
1
隐藏空白更改
内联
并排
Showing
1 changed file
with
16 addition
and
6 deletion
+16
-6
src/share/native/sun/awt/image/jpeg/imageioJPEG.c
src/share/native/sun/awt/image/jpeg/imageioJPEG.c
+16
-6
未找到文件。
src/share/native/sun/awt/image/jpeg/imageioJPEG.c
浏览文件 @
32c95ad6
...
@@ -2614,7 +2614,8 @@ Java_com_sun_imageio_plugins_jpeg_JPEGImageWriter_writeImage
...
@@ -2614,7 +2614,8 @@ Java_com_sun_imageio_plugins_jpeg_JPEGImageWriter_writeImage
JSAMPROW
scanLinePtr
;
JSAMPROW
scanLinePtr
;
int
i
,
j
;
int
i
,
j
;
int
pixelStride
;
int
pixelStride
;
unsigned
char
*
in
,
*
out
,
*
pixelLimit
;
unsigned
char
*
in
,
*
out
,
*
pixelLimit
,
*
scanLineLimit
;
unsigned
int
scanLineSize
,
pixelBufferSize
;
int
targetLine
;
int
targetLine
;
pixelBufferPtr
pb
;
pixelBufferPtr
pb
;
sun_jpeg_error_ptr
jerr
;
sun_jpeg_error_ptr
jerr
;
...
@@ -2650,19 +2651,25 @@ Java_com_sun_imageio_plugins_jpeg_JPEGImageWriter_writeImage
...
@@ -2650,19 +2651,25 @@ Java_com_sun_imageio_plugins_jpeg_JPEGImageWriter_writeImage
}
}
scanLineSize
=
destWidth
*
numBands
;
if
((
inCs
<
0
)
||
(
inCs
>
JCS_YCCK
)
||
if
((
inCs
<
0
)
||
(
inCs
>
JCS_YCCK
)
||
(
outCs
<
0
)
||
(
outCs
>
JCS_YCCK
)
||
(
outCs
<
0
)
||
(
outCs
>
JCS_YCCK
)
||
(
numBands
<
1
)
||
(
numBands
>
MAX_BANDS
)
||
(
numBands
<
1
)
||
(
numBands
>
MAX_BANDS
)
||
(
srcWidth
<
0
)
||
(
srcWidth
<
0
)
||
(
destWidth
<
0
)
||
(
destWidth
>
srcWidth
)
||
(
destWidth
<
0
)
||
(
destWidth
>
srcWidth
)
||
(
destHeight
<
0
)
||
(
destHeight
<
0
)
||
(
stepX
<
0
)
||
(
stepY
<
0
))
(
stepX
<
0
)
||
(
stepY
<
0
)
||
((
scanLineSize
/
numBands
)
<
destWidth
))
/* destWidth causes an integer overflow */
{
{
JNU_ThrowByName
(
env
,
"javax/imageio/IIOException"
,
JNU_ThrowByName
(
env
,
"javax/imageio/IIOException"
,
"Invalid argument to native writeImage"
);
"Invalid argument to native writeImage"
);
return
JNI_FALSE
;
return
JNI_FALSE
;
}
}
if
(
stepX
>
srcWidth
)
{
stepX
=
srcWidth
;
}
bandSize
=
(
*
env
)
->
GetIntArrayElements
(
env
,
bandSizes
,
NULL
);
bandSize
=
(
*
env
)
->
GetIntArrayElements
(
env
,
bandSizes
,
NULL
);
for
(
i
=
0
;
i
<
numBands
;
i
++
)
{
for
(
i
=
0
;
i
<
numBands
;
i
++
)
{
...
@@ -2710,7 +2717,7 @@ Java_com_sun_imageio_plugins_jpeg_JPEGImageWriter_writeImage
...
@@ -2710,7 +2717,7 @@ Java_com_sun_imageio_plugins_jpeg_JPEGImageWriter_writeImage
}
}
// Allocate a 1-scanline buffer
// Allocate a 1-scanline buffer
scanLinePtr
=
(
JSAMPROW
)
malloc
(
destWidth
*
numBands
);
scanLinePtr
=
(
JSAMPROW
)
malloc
(
scanLineSize
);
if
(
scanLinePtr
==
NULL
)
{
if
(
scanLinePtr
==
NULL
)
{
RELEASE_ARRAYS
(
env
,
data
,
(
const
JOCTET
*
)(
dest
->
next_output_byte
));
RELEASE_ARRAYS
(
env
,
data
,
(
const
JOCTET
*
)(
dest
->
next_output_byte
));
JNU_ThrowByName
(
env
,
JNU_ThrowByName
(
env
,
...
@@ -2718,6 +2725,7 @@ Java_com_sun_imageio_plugins_jpeg_JPEGImageWriter_writeImage
...
@@ -2718,6 +2725,7 @@ Java_com_sun_imageio_plugins_jpeg_JPEGImageWriter_writeImage
"Writing JPEG Stream"
);
"Writing JPEG Stream"
);
return
data
->
abortFlag
;
return
data
->
abortFlag
;
}
}
scanLineLimit
=
scanLinePtr
+
scanLineSize
;
/* Establish the setjmp return context for sun_jpeg_error_exit to use. */
/* Establish the setjmp return context for sun_jpeg_error_exit to use. */
jerr
=
(
sun_jpeg_error_ptr
)
cinfo
->
err
;
jerr
=
(
sun_jpeg_error_ptr
)
cinfo
->
err
;
...
@@ -2866,6 +2874,8 @@ Java_com_sun_imageio_plugins_jpeg_JPEGImageWriter_writeImage
...
@@ -2866,6 +2874,8 @@ Java_com_sun_imageio_plugins_jpeg_JPEGImageWriter_writeImage
}
}
targetLine
=
0
;
targetLine
=
0
;
pixelBufferSize
=
srcWidth
*
numBands
;
pixelStride
=
numBands
*
stepX
;
// for each line in destHeight
// for each line in destHeight
while
((
data
->
abortFlag
==
JNI_FALSE
)
while
((
data
->
abortFlag
==
JNI_FALSE
)
...
@@ -2886,9 +2896,9 @@ Java_com_sun_imageio_plugins_jpeg_JPEGImageWriter_writeImage
...
@@ -2886,9 +2896,9 @@ Java_com_sun_imageio_plugins_jpeg_JPEGImageWriter_writeImage
in
=
data
->
pixelBuf
.
buf
.
bp
;
in
=
data
->
pixelBuf
.
buf
.
bp
;
out
=
scanLinePtr
;
out
=
scanLinePtr
;
pixelLimit
=
in
+
srcWidth
*
numBands
;
pixelLimit
=
in
+
((
pixelBufferSize
>
data
->
pixelBuf
.
byteBufferLength
)
?
pixelStride
=
numBands
*
stepX
;
data
->
pixelBuf
.
byteBufferLength
:
pixelBufferSize
)
;
for
(;
in
<
pixelLimit
;
in
+=
pixelStride
)
{
for
(;
(
in
<
pixelLimit
)
&&
(
out
<
scanLineLimit
)
;
in
+=
pixelStride
)
{
for
(
i
=
0
;
i
<
numBands
;
i
++
)
{
for
(
i
=
0
;
i
<
numBands
;
i
++
)
{
if
(
scale
!=
NULL
&&
scale
[
i
]
!=
NULL
)
{
if
(
scale
!=
NULL
&&
scale
[
i
]
!=
NULL
)
{
*
out
++
=
scale
[
i
][
*
(
in
+
i
)];
*
out
++
=
scale
[
i
][
*
(
in
+
i
)];
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录