From ed9f2aa8e7d9d037da20c90c24c72b6b697afbc3 Mon Sep 17 00:00:00 2001 From: bae Date: Thu, 1 Jul 2010 12:04:14 +0400 Subject: [PATCH] 6963489: ZDI-CAN-803: Sun JRE ICC Profile Device Information Tag Remote Code Execution Vulnerability Reviewed-by: prr --- src/share/native/sun/java2d/cmm/lcms/LCMS.c | 3 ++- src/share/native/sun/java2d/cmm/lcms/cmsxform.c | 6 ++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/src/share/native/sun/java2d/cmm/lcms/LCMS.c b/src/share/native/sun/java2d/cmm/lcms/LCMS.c index 1d281b3d2..6bb70cd50 100644 --- a/src/share/native/sun/java2d/cmm/lcms/LCMS.c +++ b/src/share/native/sun/java2d/cmm/lcms/LCMS.c @@ -190,12 +190,13 @@ JNIEXPORT jlong JNICALL Java_sun_java2d_cmm_lcms_LCMS_createNativeTransform "sTrans.xf == NULL"); JNU_ThrowByName(env, "java/awt/color/CMMException", "Cannot get color transform"); + } else { + Disposer_AddRecord(env, disposerRef, LCMS_freeTransform, sTrans.j); } if (iccArray != &_iccArray[0]) { free(iccArray); } - Disposer_AddRecord(env, disposerRef, LCMS_freeTransform, sTrans.j); return sTrans.j; } diff --git a/src/share/native/sun/java2d/cmm/lcms/cmsxform.c b/src/share/native/sun/java2d/cmm/lcms/cmsxform.c index 808da829c..836b302b0 100644 --- a/src/share/native/sun/java2d/cmm/lcms/cmsxform.c +++ b/src/share/native/sun/java2d/cmm/lcms/cmsxform.c @@ -687,6 +687,9 @@ LPMATSHAPER cmsBuildGrayOutputMatrixShaper(cmsHPROFILE hProfile) LPGAMMATABLE Shapes1[3]; GrayTRC = cmsReadICCGamma(hProfile, icSigGrayTRCTag); + if (!GrayTRC) { + return NULL; + } FromLstarToXYZ(GrayTRC, Shapes1); // Reversing must be done after curve translation @@ -703,6 +706,9 @@ LPMATSHAPER cmsBuildGrayOutputMatrixShaper(cmsHPROFILE hProfile) // Normal case GrayTRC = cmsReadICCGammaReversed(hProfile, icSigGrayTRCTag); // Y + if (!GrayTRC) { + return NULL; + } Shapes[0] = cmsDupGamma(GrayTRC); Shapes[1] = cmsDupGamma(GrayTRC); -- GitLab