From cdafef64fb24f85e98a32f36c8bf7308c7bea4f9 Mon Sep 17 00:00:00 2001 From: bae Date: Thu, 17 Feb 2011 12:21:49 +0300 Subject: [PATCH] 7013519: [parfait] Integer overflows in 2D code Reviewed-by: prr, valeriep --- src/share/native/sun/awt/image/jpeg/imageioJPEG.c | 7 +++++++ src/share/native/sun/font/layout/SunLayoutEngine.cpp | 6 +++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/src/share/native/sun/awt/image/jpeg/imageioJPEG.c b/src/share/native/sun/awt/image/jpeg/imageioJPEG.c index 04a87fd1c..7f0c3aac9 100644 --- a/src/share/native/sun/awt/image/jpeg/imageioJPEG.c +++ b/src/share/native/sun/awt/image/jpeg/imageioJPEG.c @@ -1971,6 +1971,13 @@ Java_com_sun_imageio_plugins_jpeg_JPEGImageReader_readImage return data->abortFlag; } + if (cinfo->output_components <= 0 || + cinfo->image_width > (0xffffffffu / (unsigned int)cinfo->output_components)) + { + JNU_ThrowByName(env, "javax/imageio/IIOException", + "Invalid number of output components"); + return data->abortFlag; + } // Allocate a 1-scanline buffer scanLinePtr = (JSAMPROW)malloc(cinfo->image_width*cinfo->output_components); diff --git a/src/share/native/sun/font/layout/SunLayoutEngine.cpp b/src/share/native/sun/font/layout/SunLayoutEngine.cpp index 553334a18..c7db94829 100644 --- a/src/share/native/sun/font/layout/SunLayoutEngine.cpp +++ b/src/share/native/sun/font/layout/SunLayoutEngine.cpp @@ -186,7 +186,11 @@ JNIEXPORT void JNICALL Java_sun_font_SunLayoutEngine_nativeLayout jchar buffer[256]; jchar* chars = buffer; if (len > 256) { - chars = (jchar*)malloc(len * sizeof(jchar)); + size_t size = len * sizeof(jchar); + if (size / sizeof(jchar) != len) { + return; + } + chars = (jchar*)malloc(size); if (chars == 0) { return; } -- GitLab