From f600187d8c6441e4ae5d1d6544adc0710ff2858f Mon Sep 17 00:00:00 2001
From: prr <unknown>
Date: Fri, 5 Oct 2018 11:37:39 -0700
Subject: [PATCH] 8210606: Improved data set handling Reviewed-by: serb,
 psadhukhan, mschoene, rhalade

---
 src/share/native/sun/java2d/cmm/lcms/cmscgats.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/share/native/sun/java2d/cmm/lcms/cmscgats.c b/src/share/native/sun/java2d/cmm/lcms/cmscgats.c
index ff88ffb13..981736a3f 100644
--- a/src/share/native/sun/java2d/cmm/lcms/cmscgats.c
+++ b/src/share/native/sun/java2d/cmm/lcms/cmscgats.c
@@ -1535,10 +1535,16 @@ void AllocateDataSet(cmsIT8* it8)
     t-> nSamples   = atoi(cmsIT8GetProperty(it8, "NUMBER_OF_FIELDS"));
     t-> nPatches   = atoi(cmsIT8GetProperty(it8, "NUMBER_OF_SETS"));
 
-    t-> Data = (char**)AllocChunk (it8, ((cmsUInt32Number) t->nSamples + 1) * ((cmsUInt32Number) t->nPatches + 1) *sizeof (char*));
-    if (t->Data == NULL) {
+    if (t -> nSamples < 0 || t->nSamples > 0x7ffe || t->nPatches < 0 || t->nPatches > 0x7ffe)
+    {
+        SynError(it8, "AllocateDataSet: too much data");
+    }
+    else {
+        t->Data = (char**)AllocChunk(it8, ((cmsUInt32Number)t->nSamples + 1) * ((cmsUInt32Number)t->nPatches + 1) * sizeof(char*));
+        if (t->Data == NULL) {
 
-        SynError(it8, "AllocateDataSet: Unable to allocate data array");
+            SynError(it8, "AllocateDataSet: Unable to allocate data array");
+        }
     }
 
 }
-- 
GitLab