From e11425cb23071f68a6f7bd1f1cf1b21cd7357513 Mon Sep 17 00:00:00 2001
From: bae <unknown>
Date: Fri, 19 Feb 2010 22:30:52 +0300
Subject: [PATCH] 6899653: Sun Java Runtime CMM readMabCurveData Buffer
 Overflow Vulnerability Reviewed-by: prr, hawtin

---
 src/share/native/sun/java2d/cmm/lcms/cmsio1.c   | 3 +++
 src/share/native/sun/java2d/cmm/lcms/cmsxform.c | 4 ++++
 2 files changed, 7 insertions(+)

diff --git a/src/share/native/sun/java2d/cmm/lcms/cmsio1.c b/src/share/native/sun/java2d/cmm/lcms/cmsio1.c
index 16aec6c53..c105c1c4b 100644
--- a/src/share/native/sun/java2d/cmm/lcms/cmsio1.c
+++ b/src/share/native/sun/java2d/cmm/lcms/cmsio1.c
@@ -1433,6 +1433,9 @@ LPLUT LCMSEXPORT cmsReadICCLut(cmsHPROFILE hProfile, icTagSignature sig)
 
     // If is in memory, the LUT is already there, so throw a copy
     if (Icc -> TagPtrs[n]) {
+        if (!_cmsValidateLUT((LPLUT) Icc ->TagPtrs[n])) {
+            return NULL;
+        }
 
         return cmsDupLUT((LPLUT) Icc ->TagPtrs[n]);
     }
diff --git a/src/share/native/sun/java2d/cmm/lcms/cmsxform.c b/src/share/native/sun/java2d/cmm/lcms/cmsxform.c
index ec37bebb1..8bf955435 100644
--- a/src/share/native/sun/java2d/cmm/lcms/cmsxform.c
+++ b/src/share/native/sun/java2d/cmm/lcms/cmsxform.c
@@ -1969,6 +1969,10 @@ cmsHTRANSFORM LCMSEXPORT cmsCreateMultiprofileTransform(cmsHPROFILE hProfiles[],
                 goto ErrorCleanup;
         }
 
+        if (Transforms[i] == NULL) {
+            cmsSignalError(LCMS_ERRC_ABORTED, "cmsCreateMultiprofileTransform: unable to create transform");
+            goto ErrorCleanup;
+        }
         CurrentColorSpace = ColorSpaceOut;
 
     }
-- 
GitLab