6963489: ZDI-CAN-803: Sun JRE ICC Profile Device Information Tag Remote Code...

6963489: ZDI-CAN-803: Sun JRE ICC Profile Device Information Tag Remote Code Execution Vulnerability
Reviewed-by: prr

src/share/native/sun/java2d/cmm/lcms/LCMS.c

@@ -190,12 +190,13 @@ JNIEXPORT jlong JNICALL Java_sun_java2d_cmm_lcms_LCMS_createNativeTransform
                                        "sTrans.xf == NULL");
         JNU_ThrowByName(env, "java/awt/color/CMMException",
                         "Cannot get color transform");
+    } else {
+        Disposer_AddRecord(env, disposerRef, LCMS_freeTransform, sTrans.j);
     }
 
     if (iccArray != &_iccArray[0]) {
         free(iccArray);
     }
-    Disposer_AddRecord(env, disposerRef, LCMS_freeTransform, sTrans.j);
     return sTrans.j;
 }
 

src/share/native/sun/java2d/cmm/lcms/cmsxform.c

@@ -687,6 +687,9 @@ LPMATSHAPER cmsBuildGrayOutputMatrixShaper(cmsHPROFILE hProfile)
                 LPGAMMATABLE Shapes1[3];
 
                 GrayTRC = cmsReadICCGamma(hProfile, icSigGrayTRCTag);
+                if (!GrayTRC) {
+                    return NULL;
+                }
                 FromLstarToXYZ(GrayTRC, Shapes1);
 
                 // Reversing must be done after curve translation
@@ -703,6 +706,9 @@ LPMATSHAPER cmsBuildGrayOutputMatrixShaper(cmsHPROFILE hProfile)
                 // Normal case
 
                 GrayTRC = cmsReadICCGammaReversed(hProfile, icSigGrayTRCTag);   // Y
+                if (!GrayTRC) {
+                    return NULL;
+                }
 
                 Shapes[0] = cmsDupGamma(GrayTRC);
                 Shapes[1] = cmsDupGamma(GrayTRC);