Skip to content

D
dragonwell8_jdk

openanolis / dragonwell8_jdk

通知 4
Star 2
Fork 0
D
dragonwell8_jdk
提交 a5fd5646 编写于 作者: B bae
浏览文件
操作

6909597: Sun Java Runtime Environment JPEGImageReader stepX Integer Overflow Vulnerability 

Reviewed-by: igor
上级 bf131af4
隐藏空白更改
内联 并排
Showing with 14 addition and 3 deletion
src/share/native/sun/awt/image/jpeg/imageioJPEG.c
浏览文件 @ a5fd5646
...@@ -258,6 +258,7 @@ static void clearStreamBuffer(streamBufferPtr sb) { ...@@ -258,6 +258,7 @@ static void clearStreamBuffer(streamBufferPtr sb) {
typedef struct pixelBufferStruct { typedef struct pixelBufferStruct {
jobject hpixelObject; // Usually a DataBuffer bank as a byte array jobject hpixelObject; // Usually a DataBuffer bank as a byte array
unsigned int byteBufferLength;
union pixptr { union pixptr {
INT32 *ip; // Pinned buffer pointer, as 32-bit ints INT32 *ip; // Pinned buffer pointer, as 32-bit ints
unsigned char *bp; // Pinned buffer pointer, as bytes unsigned char *bp; // Pinned buffer pointer, as bytes
...@@ -270,6 +271,7 @@ typedef struct pixelBufferStruct { ...@@ -270,6 +271,7 @@ typedef struct pixelBufferStruct {
*/ */
static void initPixelBuffer(pixelBufferPtr pb) { static void initPixelBuffer(pixelBufferPtr pb) {
pb->hpixelObject = NULL; pb->hpixelObject = NULL;
pb->byteBufferLength = 0;
pb->buf.ip = NULL; pb->buf.ip = NULL;
} }
...@@ -279,13 +281,13 @@ static void initPixelBuffer(pixelBufferPtr pb) { ...@@ -279,13 +281,13 @@ static void initPixelBuffer(pixelBufferPtr pb) {
*/ */
static int setPixelBuffer(JNIEnv *env, pixelBufferPtr pb, jobject obj) { static int setPixelBuffer(JNIEnv *env, pixelBufferPtr pb, jobject obj) {
pb->hpixelObject = (*env)->NewGlobalRef(env, obj); pb->hpixelObject = (*env)->NewGlobalRef(env, obj);
if (pb->hpixelObject == NULL) { if (pb->hpixelObject == NULL) {
JNU_ThrowByName( env, JNU_ThrowByName( env,
"java/lang/OutOfMemoryError", "java/lang/OutOfMemoryError",
"Setting Pixel Buffer"); "Setting Pixel Buffer");
return NOT_OK; return NOT_OK;
} }
pb->byteBufferLength = (*env)->GetArrayLength(env, pb->hpixelObject);
return OK; return OK;
} }
...@@ -302,6 +304,7 @@ static void resetPixelBuffer(JNIEnv *env, pixelBufferPtr pb) { ...@@ -302,6 +304,7 @@ static void resetPixelBuffer(JNIEnv *env, pixelBufferPtr pb) {
unpinPixelBuffer(env, pb); unpinPixelBuffer(env, pb);
(*env)->DeleteGlobalRef(env, pb->hpixelObject); (*env)->DeleteGlobalRef(env, pb->hpixelObject);
pb->hpixelObject = NULL; pb->hpixelObject = NULL;
pb->byteBufferLength = 0;
} }
} }
...@@ -1828,6 +1831,7 @@ Java_com_sun_imageio_plugins_jpeg_JPEGImageReader_readImage ...@@ -1828,6 +1831,7 @@ Java_com_sun_imageio_plugins_jpeg_JPEGImageReader_readImage
boolean orderedBands = TRUE; boolean orderedBands = TRUE;
imageIODataPtr data = (imageIODataPtr) ptr; imageIODataPtr data = (imageIODataPtr) ptr;
j_decompress_ptr cinfo; j_decompress_ptr cinfo;
unsigned int numBytes;
/* verify the inputs */ /* verify the inputs */
...@@ -2027,15 +2031,22 @@ Java_com_sun_imageio_plugins_jpeg_JPEGImageReader_readImage ...@@ -2027,15 +2031,22 @@ Java_com_sun_imageio_plugins_jpeg_JPEGImageReader_readImage
// scanline buffer into the raster. // scanline buffer into the raster.
in = scanLinePtr + (sourceXStart * cinfo->output_components); in = scanLinePtr + (sourceXStart * cinfo->output_components);
if (pixelLimit > in) { if (pixelLimit > in) {
memcpy(out, in, pixelLimit - in); numBytes = pixelLimit - in;
if (numBytes > data->pixelBuf.byteBufferLength) {
numBytes = data->pixelBuf.byteBufferLength;
}
memcpy(out, in, numBytes);
} }
} else { } else {
numBytes = numBands;
for (in = scanLinePtr+sourceXStart*cinfo->output_components; for (in = scanLinePtr+sourceXStart*cinfo->output_components;
in < pixelLimit; in < pixelLimit &&
numBytes <= data->pixelBuf.byteBufferLength;
in += pixelStride) { in += pixelStride) {
for (i = 0; i < numBands; i++) { for (i = 0; i < numBands; i++) {
*out++ = *(in+bands[i]); *out++ = *(in+bands[i]);
} }
numBytes += numBands;
} }
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册