Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openanolis
dragonwell8_jdk
提交
c7f2054c
D
dragonwell8_jdk
项目概览
openanolis
/
dragonwell8_jdk
通知
4
Star
2
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
D
dragonwell8_jdk
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
c7f2054c
编写于
2月 20, 2009
作者:
B
bae
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
6804996: JWS PNG Decoding Integer Overflow [V-flrhat2ln8]
Reviewed-by: prr
上级
985a5c39
变更
3
隐藏空白更改
内联
并排
Showing
3 changed file
with
27 addition
and
4 deletion
+27
-4
src/share/native/sun/awt/splashscreen/splashscreen_gif.c
src/share/native/sun/awt/splashscreen/splashscreen_gif.c
+0
-4
src/share/native/sun/awt/splashscreen/splashscreen_impl.h
src/share/native/sun/awt/splashscreen/splashscreen_impl.h
+4
-0
src/share/native/sun/awt/splashscreen/splashscreen_png.c
src/share/native/sun/awt/splashscreen/splashscreen_png.c
+23
-0
未找到文件。
src/share/native/sun/awt/splashscreen/splashscreen_gif.c
浏览文件 @
c7f2054c
...
...
@@ -53,10 +53,6 @@ static const char szNetscape20ext[11] = "NETSCAPE2.0";
// convert libungif samples to our ones
#define MAKE_QUAD_GIF(c,a) MAKE_QUAD((c).Red, (c).Green, (c).Blue, (a))
#define SAFE_TO_ALLOC(c, sz) \
(((c) > 0) && ((sz) > 0) && \
((0xffffffffu / ((unsigned int)(c))) > (unsigned int)(sz)))
/* stdio FILE* and memory input functions for libungif */
int
SplashStreamGifInputFunc
(
GifFileType
*
gif
,
GifByteType
*
buf
,
int
n
)
...
...
src/share/native/sun/awt/splashscreen/splashscreen_impl.h
浏览文件 @
c7f2054c
...
...
@@ -155,6 +155,10 @@ int BitmapToYXBandedRectangles(ImageRect * pSrcRect, RECT_T * out);
void
SplashInitFrameShape
(
Splash
*
splash
,
int
imageIndex
);
#define SAFE_TO_ALLOC(c, sz) \
(((c) > 0) && ((sz) > 0) && \
((0xffffffffu / ((unsigned int)(c))) > (unsigned int)(sz)))
#define dbgprintf printf
#endif
src/share/native/sun/awt/splashscreen/splashscreen_png.c
浏览文件 @
c7f2054c
...
...
@@ -103,9 +103,17 @@ SplashDecodePng(Splash * splash, png_rw_ptr read_func, void *io_ptr)
rowbytes
=
png_get_rowbytes
(
png_ptr
,
info_ptr
);
if
(
!
SAFE_TO_ALLOC
(
rowbytes
,
height
))
{
goto
done
;
}
if
((
image_data
=
(
unsigned
char
*
)
malloc
(
rowbytes
*
height
))
==
NULL
)
{
goto
done
;
}
if
(
!
SAFE_TO_ALLOC
(
height
,
sizeof
(
png_bytep
)))
{
goto
done
;
}
if
((
row_pointers
=
(
png_bytepp
)
malloc
(
height
*
sizeof
(
png_bytep
)))
==
NULL
)
{
goto
done
;
...
...
@@ -121,13 +129,28 @@ SplashDecodePng(Splash * splash, png_rw_ptr read_func, void *io_ptr)
splash
->
width
=
width
;
splash
->
height
=
height
;
if
(
!
SAFE_TO_ALLOC
(
splash
->
width
,
splash
->
imageFormat
.
depthBytes
))
{
goto
done
;
}
stride
=
splash
->
width
*
splash
->
imageFormat
.
depthBytes
;
if
(
!
SAFE_TO_ALLOC
(
splash
->
height
,
stride
))
{
goto
done
;
}
splash
->
frameCount
=
1
;
splash
->
frames
=
(
SplashImage
*
)
malloc
(
sizeof
(
SplashImage
)
*
splash
->
frameCount
);
if
(
splash
->
frames
==
NULL
)
{
goto
done
;
}
splash
->
loopCount
=
1
;
splash
->
frames
[
0
].
bitmapBits
=
malloc
(
stride
*
splash
->
height
);
if
(
splash
->
frames
[
0
].
bitmapBits
==
NULL
)
{
free
(
splash
->
frames
);
goto
done
;
}
splash
->
frames
[
0
].
delay
=
0
;
/* FIXME: sort out the real format */
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录