6632445: DoS from parsing BMPs with UNC ICC links

Reviewed-by: prr, hawtin

src/share/classes/com/sun/imageio/plugins/bmp/BMPImageReader.java

@@ -62,6 +62,8 @@ import javax.imageio.event.IIOReadWarningListener;
 
 import java.io.*;
 import java.nio.*;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.ArrayList;
 import java.util.Iterator;
 import java.util.StringTokenizer;
@@ -502,12 +504,18 @@ public class BMPImageReader extends ImageReader implements BMPConstants {
             iis.reset();
 
             try {
-                if (metadata.colorSpace == PROFILE_LINKED)
+                if (metadata.colorSpace == PROFILE_LINKED &&
+                    isLinkedProfileAllowed() &&
+                    !isUncOrDevicePath(profile))
+                {
+                    String path = new String(profile, "windows-1252");
+
                     colorSpace =
-                        new ICC_ColorSpace(ICC_Profile.getInstance(new String(profile)));
-                else
+                        new ICC_ColorSpace(ICC_Profile.getInstance(path));
+                } else {
                     colorSpace =
                         new ICC_ColorSpace(ICC_Profile.getInstance(profile));
+                }
             } catch (Exception e) {
                 colorSpace = ColorSpace.getInstance(ColorSpace.CS_sRGB);
             }
@@ -1745,4 +1753,69 @@ public class BMPImageReader extends ImageReader implements BMPConstants {
         public void sequenceStarted(ImageReader src, int minIndex) {}
         public void readAborted(ImageReader src) {}
     }
+
+    private static Boolean isLinkedProfileDisabled = null;
+
+    private static boolean isLinkedProfileAllowed() {
+        if (isLinkedProfileDisabled == null) {
+            PrivilegedAction<Boolean> a = new PrivilegedAction<Boolean>() {
+                public Boolean run() {
+                    return Boolean.getBoolean("sun.imageio.plugins.bmp.disableLinkedProfiles");
+                }
+            };
+            isLinkedProfileDisabled = AccessController.doPrivileged(a);
+        }
+        return !isLinkedProfileDisabled;
+    }
+
+    private static Boolean isWindowsPlatform = null;
+
+    /**
+     * Verifies whether the byte array contans a unc path.
+     * Non-UNC path examples:
+     *  c:\path\to\file  - simple notation
+     *  \\?\c:\path\to\file - long notation
+     *
+     * UNC path examples:
+     *  \\server\share - a UNC path in simple notation
+     *  \\?\UNC\server\share - a UNC path in long notation
+     *  \\.\some\device - a path to device.
+     */
+    private static boolean isUncOrDevicePath(byte[] p) {
+        if (isWindowsPlatform == null) {
+            PrivilegedAction<Boolean> a = new PrivilegedAction<Boolean>() {
+                public Boolean run() {
+                    String osname = System.getProperty("os.name");
+                    return (osname != null &&
+                            osname.toLowerCase().startsWith("win"));
+                }
+            };
+            isWindowsPlatform = AccessController.doPrivileged(a);
+        }
+
+        if (!isWindowsPlatform) {
+            /* no need for the check on platforms except windows */
+            return false;
+        }
+
+        /* normalize prefix of the path */
+        if (p[0] == '/') p[0] = '\\';
+        if (p[1] == '/') p[1] = '\\';
+        if (p[3] == '/') p[3] = '\\';
+
+
+        if ((p[0] == '\\') && (p[1] == '\\')) {
+            if ((p[2] == '?') && (p[3] == '\\')) {
+                // long path: whether unc or local
+                return ((p[4] == 'U' || p[4] == 'u') &&
+                        (p[5] == 'N' || p[5] == 'n') &&
+                        (p[6] == 'C' || p[6] == 'c'));
+            } else {
+                // device path or short unc notation
+                return true;
+            }
+        } else {
+            return false;
+        }
+    }
 }