changeset 6302:975d1f8c48dc

Merge
author sjiang
date Thu, 21 Mar 2013 10:49:14 -0700
parents df597b1ebb4b 753eea1a0e03
children 88c913e066d8
files
diffstat 37 files changed, 324 insertions(+), 103 deletions(-) [+]
line wrap: on
line diff
--- a/src/macosx/native/sun/awt/CRobot.m	Thu Mar 21 18:27:25 2013 +0100
+++ b/src/macosx/native/sun/awt/CRobot.m	Thu Mar 21 10:49:14 2013 -0700
@@ -29,6 +29,7 @@
 #import "LWCToolkit.h"
 #import "sun_lwawt_macosx_CRobot.h"
 #import "java_awt_event_InputEvent.h"
+#import "sizecalc.h"
 
 
 // Starting number for event numbers generated by Robot.
@@ -115,7 +116,7 @@
         gsLastClickTime = 0;
         gsEventNumber = ROBOT_EVENT_NUMBER_START;
 
-        gsButtonEventNumber = (int*)malloc(sizeof(int) * gNumberOfButtons);
+        gsButtonEventNumber = (int*)SAFE_SIZE_ARRAY_ALLOC(malloc, sizeof(int), gNumberOfButtons);
         if (gsButtonEventNumber == NULL) {
             JNU_ThrowOutOfMemoryError(env, NULL);
             return;
--- a/src/macosx/native/sun/awt/LWCToolkit.m	Thu Mar 21 18:27:25 2013 +0100
+++ b/src/macosx/native/sun/awt/LWCToolkit.m	Thu Mar 21 10:49:14 2013 -0700
@@ -37,6 +37,8 @@
 
 #import "sun_lwawt_macosx_LWCToolkit.h"
 
+#import "sizecalc.h"
+
 int gNumberOfButtons;
 jint* gButtonDownMasks;
 
@@ -197,7 +199,8 @@
             screenID = (CGDirectDisplayID)onlineDisplays[screenIndex];
         } else {
             CGDirectDisplayID *onlineDisplays =
-            malloc(displayCount*sizeof(CGDirectDisplayID));
+                SAFE_SIZE_ARRAY_ALLOC(malloc,
+                        displayCount, sizeof(CGDirectDisplayID));
             if (onlineDisplays != NULL) {
                 CGGetOnlineDisplayList(displayCount, onlineDisplays,
                                        &displayCount);
@@ -235,7 +238,7 @@
     jintArray obj = (jintArray)(*env)->CallStaticObjectMethod(env, inputEventClazz, getButtonDownMasksID);
     jint * tmp = (*env)->GetIntArrayElements(env, obj, JNI_FALSE);
     
-    gButtonDownMasks = (jint*)malloc(sizeof(jint) * gNumberOfButtons);
+    gButtonDownMasks = (jint*)SAFE_SIZE_ARRAY_ALLOC(malloc, sizeof(jint), gNumberOfButtons);
     if (gButtonDownMasks == NULL) {
         gNumberOfButtons = 0;
         JNU_ThrowOutOfMemoryError(env, NULL);
--- a/src/macosx/native/sun/awt/splashscreen/splashscreen_sys.m	Thu Mar 21 18:27:25 2013 +0100
+++ b/src/macosx/native/sun/awt/splashscreen/splashscreen_sys.m	Thu Mar 21 10:49:14 2013 -0700
@@ -44,6 +44,7 @@
 #include <unistd.h>
 #include <dlfcn.h>
 
+#include <sizecalc.h>
 
 static NSScreen* SplashNSScreen()
 {
@@ -99,9 +100,12 @@
         goto done;
     }
     inSize = strlen(in);
+    buf = SAFE_SIZE_ARRAY_ALLOC(malloc, inSize, 2);
+    if (!buf) {
+        return NULL;
+    }
     bufSize = inSize*2; // need 2 bytes per char for UCS-2, this is
                         // 2 bytes per source byte max
-    buf = malloc(bufSize);
     out = buf; outSize = bufSize;
     /* linux iconv wants char** source and solaris wants const char**...
        cast to void* */
--- a/src/share/classes/com/sun/jmx/mbeanserver/Introspector.java	Thu Mar 21 18:27:25 2013 +0100
+++ b/src/share/classes/com/sun/jmx/mbeanserver/Introspector.java	Thu Mar 21 10:49:14 2013 -0700
@@ -374,13 +374,19 @@
         for (Annotation a : annots) {
             Class<? extends Annotation> c = a.annotationType();
             Method[] elements = c.getMethods();
+            boolean packageAccess = false;
             for (Method element : elements) {
                 DescriptorKey key = element.getAnnotation(DescriptorKey.class);
                 if (key != null) {
                     String name = key.value();
                     Object value;
                     try {
-                        value = element.invoke(a);
+                        // Avoid checking access more than once per annotation
+                        if (!packageAccess) {
+                            ReflectUtil.checkPackageAccess(c);
+                            packageAccess = true;
+                        }
+                        value = MethodUtil.invoke(element, a, null);
                     } catch (RuntimeException e) {
                         // we don't expect this - except for possibly
                         // security exceptions?
--- a/src/share/classes/java/security/KeyStore.java	Thu Mar 21 18:27:25 2013 +0100
+++ b/src/share/classes/java/security/KeyStore.java	Thu Mar 21 10:49:14 2013 -0700
@@ -1729,7 +1729,7 @@
                              oldException);
                     }
                     try {
-                        return AccessController.doPrivileged(action);
+                        return AccessController.doPrivileged(action, context);
                     } catch (PrivilegedActionException e) {
                         Throwable cause = e.getCause();
                         throw new KeyStoreException
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/share/native/common/sizecalc.h	Thu Mar 21 10:49:14 2013 -0700
@@ -0,0 +1,118 @@
+/*
+ * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+#ifndef SIZECALC_H
+#define SIZECALC_H
+
+/*
+ * A machinery for safe calculation of sizes used when allocating memory.
+ *
+ * All size checks are performed against the SIZE_MAX (the maximum value for
+ * size_t). All numerical arguments as well as the result of calculation must
+ * be non-negative integers less than or equal to SIZE_MAX, otherwise the
+ * calculated size is considered unsafe.
+ *
+ * If the SIZECALC_ALLOC_THROWING_BAD_ALLOC macro is defined, then _ALLOC_
+ * helper macros throw the std::bad_alloc instead of returning NULL.
+ */
+
+#include <stdint.h> /* SIZE_MAX for C99+ */
+/* http://stackoverflow.com/questions/3472311/what-is-a-portable-method-to-find-the-maximum-value-of-size-t */
+#ifndef SIZE_MAX
+#define SIZE_MAX ((size_t)-1)
+#endif
+
+#define IS_SAFE_SIZE_T(x) ((x) >= 0 && (unsigned long long)(x) <= SIZE_MAX)
+
+#define IS_SAFE_SIZE_MUL(m, n) \
+    (IS_SAFE_SIZE_T(m) && IS_SAFE_SIZE_T(n) && ((m) == 0 || (n) == 0 || (size_t)(n) <= (SIZE_MAX / (size_t)(m))))
+
+#define IS_SAFE_SIZE_ADD(a, b) \
+    (IS_SAFE_SIZE_T(a) && IS_SAFE_SIZE_T(b) && (size_t)(b) <= (SIZE_MAX - (size_t)(a)))
+
+
+
+/* Helper macros */
+
+#ifdef SIZECALC_ALLOC_THROWING_BAD_ALLOC
+#define FAILURE_RESULT throw std::bad_alloc()
+#else
+#define FAILURE_RESULT NULL
+#endif
+
+/*
+ * A helper macro to safely allocate an array of size m*n.
+ * Example usage:
+ *    int* p = (int*)SAFE_SIZE_ARRAY_ALLOC(malloc, sizeof(int), n);
+ *    if (!p) throw OutOfMemory;
+ *    // Use the allocated array...
+ */
+#define SAFE_SIZE_ARRAY_ALLOC(func, m, n) \
+    (IS_SAFE_SIZE_MUL((m), (n)) ? ((func)((m) * (n))) : FAILURE_RESULT)
+
+#define SAFE_SIZE_ARRAY_REALLOC(func, p, m, n) \
+    (IS_SAFE_SIZE_MUL((m), (n)) ? ((func)((p), (m) * (n))) : FAILURE_RESULT)
+
+/*
+ * A helper macro to safely allocate an array of type 'type' with 'n' items
+ * using the C++ new[] operator.
+ * Example usage:
+ *    MyClass* p = SAFE_SIZE_NEW_ARRAY(MyClass, n);
+ *    // Use the pointer.
+ * This macro throws the std::bad_alloc C++ exception to indicate
+ * a failure.
+ * NOTE: if 'n' is calculated, the calling code is responsible for using the
+ * IS_SAFE_... macros to check if the calculations are safe.
+ */
+#define SAFE_SIZE_NEW_ARRAY(type, n) \
+    (IS_SAFE_SIZE_MUL(sizeof(type), (n)) ? (new type[(n)]) : throw std::bad_alloc())
+
+#define SAFE_SIZE_NEW_ARRAY2(type, n, m) \
+    (IS_SAFE_SIZE_MUL((m), (n)) && IS_SAFE_SIZE_MUL(sizeof(type), (n) * (m)) ? \
+     (new type[(n) * (m)]) : throw std::bad_alloc())
+
+/*
+ * Checks if a data structure of size (a + m*n) can be safely allocated
+ * w/o producing an integer overflow when calculating its size.
+ */
+#define IS_SAFE_STRUCT_SIZE(a, m, n) \
+    ( \
+      IS_SAFE_SIZE_MUL((m), (n)) && IS_SAFE_SIZE_ADD((m) * (n), (a)) \
+    )
+
+/*
+ * A helper macro for implementing safe memory allocation for a data structure
+ * of size (a + m * n).
+ * Example usage:
+ *    void * p = SAFE_SIZE_ALLOC(malloc, header, num, itemSize);
+ *    if (!p) throw OutOfMemory;
+ *    // Use the allocated memory...
+ */
+#define SAFE_SIZE_STRUCT_ALLOC(func, a, m, n) \
+    (IS_SAFE_STRUCT_SIZE((a), (m), (n)) ? ((func)((a) + (m) * (n))) : FAILURE_RESULT)
+
+
+#endif /* SIZECALC_H */
+
--- a/src/share/native/sun/awt/splashscreen/java_awt_SplashScreen.c	Thu Mar 21 18:27:25 2013 +0100
+++ b/src/share/native/sun/awt/splashscreen/java_awt_SplashScreen.c	Thu Mar 21 10:49:14 2013 -0700
@@ -26,6 +26,7 @@
 #include "splashscreen_impl.h"
 #include <jni.h>
 #include <jlong_md.h>
+#include <sizecalc.h>
 
 JNIEXPORT jint JNICALL
 JNI_OnLoad(JavaVM * vm, void *reserved)
@@ -57,7 +58,7 @@
     if (splash->overlayData) {
         free(splash->overlayData);
     }
-    splash->overlayData = malloc(dataSize * sizeof(rgbquad_t));
+    splash->overlayData = SAFE_SIZE_ARRAY_ALLOC(malloc, dataSize, sizeof(rgbquad_t));
     if (splash->overlayData) {
         /* we need a copy anyway, so we'll be using GetIntArrayRegion */
         (*env)->GetIntArrayRegion(env, data, 0, dataSize,
--- a/src/share/native/sun/awt/splashscreen/splashscreen_gif.c	Thu Mar 21 18:27:25 2013 +0100
+++ b/src/share/native/sun/awt/splashscreen/splashscreen_gif.c	Thu Mar 21 10:49:14 2013 -0700
@@ -28,6 +28,8 @@
 
 #include "../giflib/gif_lib.h"
 
+#include "sizecalc.h"
+
 #define GIF_TRANSPARENT     0x01
 #define GIF_USER_INPUT      0x02
 #define GIF_DISPOSE_MASK    0x07
@@ -120,7 +122,7 @@
     splash->height = gif->SHeight;
     splash->frameCount = gif->ImageCount;
     splash->frames = (SplashImage *)
-        malloc(sizeof(SplashImage) * gif->ImageCount);
+        SAFE_SIZE_ARRAY_ALLOC(malloc, sizeof(SplashImage), gif->ImageCount);
     if (!splash->frames) {
       free(pBitmapBits);
       free(pOldBitmapBits);
@@ -254,7 +256,7 @@
         // now dispose of the previous frame correctly
 
         splash->frames[imageIndex].bitmapBits =
-            (rgbquad_t *) malloc(bufferSize);
+            (rgbquad_t *) malloc(bufferSize); // bufferSize is safe (checked above)
         if (!splash->frames[imageIndex].bitmapBits) {
             free(pBitmapBits);
             free(pOldBitmapBits);
--- a/src/share/native/sun/java2d/pipe/Region.c	Thu Mar 21 18:27:25 2013 +0100
+++ b/src/share/native/sun/java2d/pipe/Region.c	Thu Mar 21 10:49:14 2013 -0700
@@ -28,6 +28,7 @@
 #include "jni_util.h"
 
 #include "Region.h"
+#include "sizecalc.h"
 
 static jfieldID endIndexID;
 static jfieldID bandsID;
@@ -260,8 +261,8 @@
         }
         Region_StartIteration(env, &clipInfo);
         numrects = Region_CountIterationRects(&clipInfo);
-        if (numrects > initialBufferSize) {
-            *pRect = (RECT_T *) malloc(numrects * sizeof(RECT_T));
+        if ((unsigned long)numrects > initialBufferSize) {
+            *pRect = (RECT_T *) SAFE_SIZE_ARRAY_ALLOC(malloc, numrects, sizeof(RECT_T));
             if (*pRect == NULL) {
                 Region_EndIteration(env, &clipInfo);
                 JNU_ThrowOutOfMemoryError(env,
--- a/src/solaris/native/sun/awt/awt_Robot.c	Thu Mar 21 18:27:25 2013 +0100
+++ b/src/solaris/native/sun/awt/awt_Robot.c	Thu Mar 21 10:49:14 2013 -0700
@@ -40,6 +40,7 @@
 #include <X11/extensions/XInput.h>
 #include <X11/extensions/XI.h>
 #include <jni.h>
+#include <sizecalc.h>
 #include "robot_common.h"
 #include "canvas.h"
 #include "wsutils.h"
@@ -175,7 +176,7 @@
 
     num_buttons = numberOfButtons;
     tmp = (*env)->GetIntArrayElements(env, buttonDownMasks, JNI_FALSE);
-    masks = (jint *)malloc(sizeof(jint) * num_buttons);
+    masks = (jint *)SAFE_SIZE_ARRAY_ALLOC(malloc, sizeof(jint), num_buttons);
     if (masks == (jint *) NULL) {
         JNU_ThrowOutOfMemoryError((JNIEnv *)JNU_GetEnv(jvm, JNI_VERSION_1_2), NULL);
         (*env)->ReleaseIntArrayElements(env, buttonDownMasks, tmp, 0);
@@ -232,8 +233,9 @@
     image = getWindowImage(awt_display, rootWindow, x, y, width, height);
 
     /* Array to use to crunch around the pixel values */
-    ary = (jint *) malloc(width * height * sizeof (jint));
-    if (ary == NULL) {
+    if (!IS_SAFE_SIZE_MUL(width, height) ||
+        !(ary = (jint *) SAFE_SIZE_ARRAY_ALLOC(malloc, width * height, sizeof (jint))))
+    {
         JNU_ThrowOutOfMemoryError(env, "OutOfMemoryError");
         XDestroyImage(image);
         AWT_UNLOCK();
--- a/src/solaris/native/sun/awt/awt_UNIXToolkit.c	Thu Mar 21 18:27:25 2013 +0100
+++ b/src/solaris/native/sun/awt/awt_UNIXToolkit.c	Thu Mar 21 10:49:14 2013 -0700
@@ -29,6 +29,7 @@
 #include <dlfcn.h>
 
 #include <jni.h>
+#include <sizecalc.h>
 #include "sun_awt_UNIXToolkit.h"
 
 #ifndef HEADLESS
@@ -148,7 +149,8 @@
     }
 
     len = (*env)->GetStringUTFLength(env, filename);
-    filename_str = (char *)malloc(sizeof(char) * (len + 1));
+    filename_str = (char *)SAFE_SIZE_ARRAY_ALLOC(malloc,
+            sizeof(char), len + 1);
     if (filename_str == NULL) {
         JNU_ThrowOutOfMemoryError(env, "OutOfMemoryError");
         return JNI_FALSE;
@@ -189,7 +191,8 @@
     }
 
     len = (*env)->GetStringUTFLength(env, stock_id);
-    stock_id_str = (char *)malloc(sizeof(char) * (len + 1));
+    stock_id_str = (char *)SAFE_SIZE_ARRAY_ALLOC(malloc,
+            sizeof(char), len + 1);
     if (stock_id_str == NULL) {
         JNU_ThrowOutOfMemoryError(env, "OutOfMemoryError");
         return JNI_FALSE;
@@ -200,7 +203,8 @@
     if (detail != NULL)
     {
         len = (*env)->GetStringUTFLength(env, detail);
-        detail_str = (char *)malloc(sizeof(char) * (len + 1));
+        detail_str = (char *)SAFE_SIZE_ARRAY_ALLOC(malloc,
+                sizeof(char), len + 1);
         if (detail_str == NULL) {
             JNU_ThrowOutOfMemoryError(env, "OutOfMemoryError");
             return JNI_FALSE;
--- a/src/solaris/native/sun/awt/fontpath.c	Thu Mar 21 18:27:25 2013 +0100
+++ b/src/solaris/native/sun/awt/fontpath.c	Thu Mar 21 10:49:14 2013 -0700
@@ -41,6 +41,7 @@
 #include <jni.h>
 #include <jni_util.h>
 #include <jvm_md.h>
+#include <sizecalc.h>
 #include <sun_font_FontManager.h>
 #ifndef HEADLESS
 #include <X11/Xlib.h>
@@ -226,7 +227,7 @@
 
     if ( fDirP->num == 0 ) return;
 
-    appendDirList = malloc ( fDirP->num * sizeof ( int ));
+    appendDirList = SAFE_SIZE_ARRAY_ALLOC(malloc, fDirP->num, sizeof ( int ));
     if ( appendDirList == NULL ) {
       return;  /* if it fails we cannot do much */
     }
@@ -283,7 +284,7 @@
     }
 
 
-    newFontPath = malloc ( totalDirCount * sizeof ( char **) );
+    newFontPath = SAFE_SIZE_ARRAY_ALLOC(malloc, totalDirCount, sizeof ( char **) );
     /* if it fails free things and get out */
     if ( newFontPath == NULL ) {
       free ( ( void *) appendDirList );
@@ -304,7 +305,12 @@
 
         /* printf ( "Appending %s\n", fDirP->name[index] ); */
 
-        onePath = malloc ( ( strlen (fDirP->name[index]) + 2 )* sizeof( char ) );
+        onePath = SAFE_SIZE_ARRAY_ALLOC(malloc, strlen (fDirP->name[index]) + 2, sizeof( char ) );
+        if (onePath == NULL) {
+            free ( ( void *) appendDirList );
+            XFreeFontPath ( origFontPath );
+            return;
+        }
         strcpy ( onePath, fDirP->name[index] );
         strcat ( onePath, "/" );
         newFontPath[nPaths++] = onePath;
--- a/src/solaris/native/sun/awt/gtk2_interface.c	Thu Mar 21 18:27:25 2013 +0100
+++ b/src/solaris/native/sun/awt/gtk2_interface.c	Thu Mar 21 10:49:14 2013 -0700
@@ -31,6 +31,7 @@
 #include "gtk2_interface.h"
 #include "java_awt_Transparency.h"
 #include "jvm_md.h"
+#include "sizecalc.h"
 
 #define GTK2_LIB_VERSIONED VERSIONED_JNI_LIB_NAME("gtk-x11-2.0", "0")
 #define GTK2_LIB JNI_LIB_NAME("gtk-x11-2.0")
@@ -732,7 +733,8 @@
         gtk_modules_env && strstr (gtk_modules_env, "gail"))
     {
         /* the new env will be smaller than the old one */
-        gchar *s, *new_env = malloc (sizeof(ENV_PREFIX)+strlen (gtk_modules_env));
+        gchar *s, *new_env = SAFE_SIZE_STRUCT_ALLOC(malloc,
+                sizeof(ENV_PREFIX), 1, strlen (gtk_modules_env));
 
         if (new_env != NULL )
         {
--- a/src/solaris/native/sun/awt/splashscreen/splashscreen_sys.c	Thu Mar 21 18:27:25 2013 +0100
+++ b/src/solaris/native/sun/awt/splashscreen/splashscreen_sys.c	Thu Mar 21 10:49:14 2013 -0700
@@ -41,6 +41,7 @@
 #include <locale.h>
 #include <fcntl.h>
 #include <poll.h>
+#include <sizecalc.h>
 
 static Bool shapeSupported;
 static int shapeEventBase, shapeErrorBase;
@@ -76,9 +77,12 @@
         goto done;
     }
     inSize = strlen(in);
+    buf = SAFE_SIZE_ARRAY_ALLOC(malloc, inSize, 2);
+    if (!buf) {
+        return NULL;
+    }
     bufSize = inSize*2; // need 2 bytes per char for UCS-2, this is
                         // 2 bytes per source byte max
-    buf = malloc(bufSize);
     out = buf; outSize = bufSize;
     /* linux iconv wants char** source and solaris wants const char**...
        cast to void* */
@@ -114,12 +118,20 @@
     initRect(&maskRect, 0, 0, splash->width, splash->height, 1,
             splash->width * splash->imageFormat.depthBytes,
             splash->frames[imageIndex].bitmapBits, &splash->imageFormat);
-    rects =
-        malloc(sizeof(XRectangle) * (splash->width / 2 + 1) * splash->height);
+    if (!IS_SAFE_SIZE_MUL(splash->width / 2 + 1, splash->height)) {
+        return;
+    }
+    rects = SAFE_SIZE_ARRAY_ALLOC(malloc,
+            sizeof(XRectangle), (splash->width / 2 + 1) * splash->height);
+    if (!rects) {
+        return;
+    }
 
     frame->numRects = BitmapToYXBandedRectangles(&maskRect, rects);
-    frame->rects = malloc(frame->numRects * sizeof(XRectangle));
-    memcpy(frame->rects, rects, frame->numRects * sizeof(XRectangle));
+    frame->rects = SAFE_SIZE_ARRAY_ALLOC(malloc, frame->numRects, sizeof(XRectangle));
+    if (frame->rects) { // handle the error after the if(){}
+        memcpy(frame->rects, rects, frame->numRects * sizeof(XRectangle));
+    }
     free(rects);
 }
 
--- a/src/solaris/native/sun/xawt/XlibWrapper.c	Thu Mar 21 18:27:25 2013 +0100
+++ b/src/solaris/native/sun/xawt/XlibWrapper.c	Thu Mar 21 10:49:14 2013 -0700
@@ -38,6 +38,7 @@
 #include <jni.h>
 #include <jni_util.h>
 #include <jlong.h>
+#include <sizecalc.h>
 
 #include <awt.h>
 #include <jvm.h>
@@ -2223,6 +2224,10 @@
     RECT_T * pRect;
     int numrects;
 
+    if (!IS_SAFE_SIZE_MUL(width / 2 + 1, height)) {
+        return;
+    }
+
     AWT_CHECK_HAVE_LOCK();
 
     len = (*env)->GetArrayLength(env, bitmap);
@@ -2235,7 +2240,10 @@
         return;
     }
 
-    pRect = (RECT_T *)malloc(worstBufferSize * sizeof(RECT_T));
+    pRect = (RECT_T *)SAFE_SIZE_ARRAY_ALLOC(malloc, worstBufferSize, sizeof(RECT_T));
+    if (!pRect) {
+        return;
+    }
 
     /* Note: the values[0] and values[1] are supposed to contain the width
      * and height (see XIconInfo.getIntData() for details). So, we do +2.
--- a/src/windows/native/sun/awt/splashscreen/splashscreen_sys.c	Thu Mar 21 18:27:25 2013 +0100
+++ b/src/windows/native/sun/awt/splashscreen/splashscreen_sys.c	Thu Mar 21 10:49:14 2013 -0700
@@ -37,6 +37,7 @@
 #include <windowsx.h>
 #include <windows.h>
 #include <winuser.h>
+#include "sizecalc.h"
 
 #ifndef WS_EX_LAYERED
 #define WS_EX_LAYERED 0x80000
@@ -67,7 +68,10 @@
     len = strlen(in);
     outChars = MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, in, len,
                                        NULL, 0);
-    buf = malloc(outChars*sizeof(WCHAR));
+    buf = (WCHAR*) SAFE_SIZE_ARRAY_ALLOC(malloc, outChars, sizeof(WCHAR));
+    if (!buf) {
+        return NULL;
+    }
     rc = MultiByteToWideChar(CP_ACP, MB_PRECOMPOSED, in, len,
                                  buf, outChars);
     if (rc==0) {
@@ -98,8 +102,14 @@
         return;
 
     /* reserving memory for the worst case */
-    pRgnData = (RGNDATA *) malloc(sizeof(RGNDATAHEADER) +
-            sizeof(RECT) * (splash->width / 2 + 1) * splash->height);
+    if (!IS_SAFE_SIZE_MUL(splash->width / 2 + 1, splash->height)) {
+        return;
+    }
+    pRgnData = (RGNDATA *) SAFE_SIZE_STRUCT_ALLOC(malloc, sizeof(RGNDATAHEADER),
+            sizeof(RECT), (splash->width / 2 + 1) * splash->height);
+    if (!pRgnData) {
+        return;
+    }
     pRgnHdr = (RGNDATAHEADER *) pRgnData;
     initRect(&maskRect, 0, 0, splash->width, splash->height, 1,
             splash->width * splash->imageFormat.depthBytes,
@@ -130,7 +140,6 @@
 {
     unsigned numColors = splash->screenFormat.colorMap ?
         splash->screenFormat.numColors : 0;
-    unsigned bmiSize;
     BITMAPV4HEADER *pBmi;
     HPALETTE hOldPal = NULL;
 
@@ -138,8 +147,11 @@
         return;
     if (splash->currentFrame < 0 || splash->currentFrame >= splash->frameCount)
         return;
-    bmiSize = sizeof(BITMAPV4HEADER) + sizeof(RGBQUAD) * numColors;
-    pBmi = (BITMAPV4HEADER *) alloca(bmiSize);
+    pBmi = (BITMAPV4HEADER *) SAFE_SIZE_STRUCT_ALLOC(alloca, sizeof(BITMAPV4HEADER),
+            sizeof(RGBQUAD), numColors);
+    if (!pBmi) {
+        return;
+    }
     memset(pBmi, 0, sizeof(BITMAPV4HEADER));
     if (splash->screenFormat.colorMap)
         memcpy(((BYTE *) pBmi) + sizeof(BITMAPV4HEADER),
@@ -163,8 +175,11 @@
        here on demand */
     if (!splash->hPalette) {
         unsigned i;
-        LOGPALETTE *pLogPal =
-            malloc(sizeof(LOGPALETTE) + sizeof(PALETTEENTRY) * numColors);
+        LOGPALETTE *pLogPal = (LOGPALETTE *) SAFE_SIZE_STRUCT_ALLOC(malloc,
+                sizeof(LOGPALETTE), sizeof(PALETTEENTRY), numColors);
+        if (!pLogPal) {
+            return;
+        }
 
         pLogPal->palVersion = 0x300;
         pLogPal->palNumEntries = (WORD) numColors;
--- a/src/windows/native/sun/font/lcdglyph.c	Thu Mar 21 18:27:25 2013 +0100
+++ b/src/windows/native/sun/font/lcdglyph.c	Thu Mar 21 10:49:14 2013 -0700
@@ -54,6 +54,7 @@
 #include <jni.h>
 #include <jni_util.h>
 #include <jlong_md.h>
+#include <sizecalc.h>
 #include <sun_font_FileFontStrike.h>
 
 #include "fontscalerdefs.h"
@@ -374,11 +375,11 @@
     bmi.bmiHeader.biBitCount = 24;
     bmi.bmiHeader.biCompression = BI_RGB;
 
-    dibImageSize = dibBytesWidth*height;
-    dibImage = malloc(dibImageSize);
+    dibImage = SAFE_SIZE_ARRAY_ALLOC(malloc, dibBytesWidth, height);
     if (dibImage == NULL) {
         FREE_AND_RETURN;
     }
+    dibImageSize = dibBytesWidth*height;
     memset(dibImage, 0, dibImageSize);
 
     err = GetDIBits(hMemoryDC, hBitmap, 0, height, dibImage,
@@ -407,11 +408,12 @@
      * that extra "1" was added as padding, so the sub-pixel positioning of
      * fractional metrics could index into it.
      */
-    imageSize = bytesWidth*height;
-    glyphInfo = (GlyphInfo*)malloc(sizeof(GlyphInfo)+imageSize);
+    glyphInfo = (GlyphInfo*)SAFE_SIZE_STRUCT_ALLOC(malloc, sizeof(GlyphInfo),
+            bytesWidth, height);
     if (malloc == NULL) {
         FREE_AND_RETURN;
     }
+    imageSize = bytesWidth*height;
     glyphInfo->cellInfo = NULL;
     glyphInfo->rowBytes = bytesWidth;
     glyphInfo->width = width;
--- a/src/windows/native/sun/java2d/opengl/WGLSurfaceData.c	Thu Mar 21 18:27:25 2013 +0100
+++ b/src/windows/native/sun/java2d/opengl/WGLSurfaceData.c	Thu Mar 21 10:49:14 2013 -0700
@@ -30,6 +30,7 @@
 #include "jni.h"
 #include "jlong.h"
 #include "jni_util.h"
+#include "sizecalc.h"
 #include "OGLRenderQueue.h"
 #include "WGLGraphicsConfig.h"
 #include "WGLSurfaceData.h"
@@ -603,7 +604,7 @@
     height = h;
     srcx = srcy = dstx = dsty = 0;
 
-    pDst = malloc(height * scanStride);
+    pDst = SAFE_SIZE_ARRAY_ALLOC(malloc, height, scanStride);
     if (pDst == NULL) {
         return JNI_FALSE;
     }
--- a/src/windows/native/sun/java2d/windows/GDIBlitLoops.cpp	Thu Mar 21 18:27:25 2013 +0100
+++ b/src/windows/native/sun/java2d/windows/GDIBlitLoops.cpp	Thu Mar 21 10:49:14 2013 -0700
@@ -166,6 +166,7 @@
                 // when using ByteGray surfaces.  Eventually, we should use
                 // the new Disposer mechanism to delete this native memory.
                 if (byteGrayPalette == NULL) {
+                    // assert (256 * sizeof(RGBQUAD)) <= SIZE_MAX
                     byteGrayPalette = (RGBQUAD *)safe_Malloc(256 * sizeof(RGBQUAD));
                     for (int i = 0; i < 256; ++i) {
                         byteGrayPalette[i].rgbRed = i;
--- a/src/windows/native/sun/java2d/windows/GDIRenderer.cpp	Thu Mar 21 18:27:25 2013 +0100
+++ b/src/windows/native/sun/java2d/windows/GDIRenderer.cpp	Thu Mar 21 10:49:14 2013 -0700
@@ -84,7 +84,7 @@
         *pNpoints = outpoints;
     }
     if (outpoints > POLYTEMPSIZE) {
-        pPoints = (POINT *) safe_Malloc(sizeof(POINT) * outpoints);
+        pPoints = (POINT *) SAFE_SIZE_ARRAY_ALLOC(safe_Malloc, sizeof(POINT), outpoints);
     }
     BOOL isempty = fixend;
     for (int i = 0; i < npoints; i++) {
--- a/src/windows/native/sun/java2d/windows/GDIWindowSurfaceData.cpp	Thu Mar 21 18:27:25 2013 +0100
+++ b/src/windows/native/sun/java2d/windows/GDIWindowSurfaceData.cpp	Thu Mar 21 10:49:14 2013 -0700
@@ -1056,8 +1056,9 @@
             int topInset = wsdo->insets.top;
             Region_StartIteration(env, &clipInfo);
             jint numrects = Region_CountIterationRects(&clipInfo);
-            DWORD nCount = sizeof(RGNDATAHEADER) + numrects * sizeof(RECT);
-            RGNDATA *lpRgnData = (RGNDATA *) safe_Malloc(nCount);
+            RGNDATA *lpRgnData = (RGNDATA *) SAFE_SIZE_STRUCT_ALLOC(safe_Malloc,
+                    sizeof(RGNDATAHEADER), numrects, sizeof(RECT));
+            const DWORD nCount = sizeof(RGNDATAHEADER) + numrects * sizeof(RECT);
             lpRgnData->rdh.dwSize = sizeof(RGNDATAHEADER);
             lpRgnData->rdh.iType = RDH_RECTANGLES;
             lpRgnData->rdh.nCount = numrects;
--- a/src/windows/native/sun/windows/CmdIDList.cpp	Thu Mar 21 18:27:25 2013 +0100
+++ b/src/windows/native/sun/windows/CmdIDList.cpp	Thu Mar 21 10:49:14 2013 -0700
@@ -39,7 +39,7 @@
 {
     m_capacity = ARRAY_INITIAL_SIZE;
     m_first_free = -1;
-    m_array = (CmdIDEntry *)safe_Malloc(m_capacity * sizeof(AwtObject*));
+    m_array = (CmdIDEntry *)SAFE_SIZE_ARRAY_ALLOC(safe_Malloc, m_capacity, sizeof(AwtObject*));
     BuildFreeList(0);
 }
 
@@ -80,8 +80,8 @@
             m_capacity += ARRAY_SIZE_INCREMENT;
             if (m_capacity > ARRAY_MAXIMUM_SIZE)
                 m_capacity = ARRAY_MAXIMUM_SIZE;
-            m_array = (CmdIDEntry *)safe_Realloc(m_array,
-                                        m_capacity * sizeof(CmdIDEntry*));
+            m_array = (CmdIDEntry *)SAFE_SIZE_ARRAY_REALLOC(safe_Realloc, m_array,
+                                        m_capacity, sizeof(CmdIDEntry*));
             BuildFreeList(old_capacity);
         }
     }
--- a/src/windows/native/sun/windows/Devices.cpp	Thu Mar 21 18:27:25 2013 +0100
+++ b/src/windows/native/sun/windows/Devices.cpp	Thu Mar 21 10:49:14 2013 -0700
@@ -171,8 +171,8 @@
     J2dTraceLn1(J2D_TRACE_INFO, "Devices::Devices numDevices=%d", numDevices);
     this->numDevices = numDevices;
     this->refCount = 0;
-    devices = (AwtWin32GraphicsDevice**)safe_Malloc
-        (numDevices * sizeof(AwtWin32GraphicsDevice *));
+    devices = (AwtWin32GraphicsDevice**)SAFE_SIZE_ARRAY_ALLOC(safe_Malloc,
+        numDevices, sizeof(AwtWin32GraphicsDevice *));
 }
 
 /**
@@ -188,7 +188,8 @@
     J2dTraceLn(J2D_TRACE_INFO, "Devices::UpdateInstance");
 
     int numScreens = CountMonitors();
-    HMONITOR *monHds = (HMONITOR *)safe_Malloc(numScreens * sizeof(HMONITOR));
+    HMONITOR *monHds = (HMONITOR *)SAFE_SIZE_ARRAY_ALLOC(safe_Malloc,
+            numScreens, sizeof(HMONITOR));
     if (numScreens != CollectMonitors(monHds, numScreens)) {
         J2dRlsTraceLn(J2D_TRACE_ERROR,
                       "Devices::UpdateInstance: Failed to get all "\
--- a/src/windows/native/sun/windows/ShellFolder2.cpp	Thu Mar 21 18:27:25 2013 +0100
+++ b/src/windows/native/sun/windows/ShellFolder2.cpp	Thu Mar 21 10:49:14 2013 -0700
@@ -393,6 +393,9 @@
     if (cb == 0)
         return 0;
 
+    if (!IS_SAFE_SIZE_ADD(cb, sizeof(SHITEMID))) {
+        return 0;
+    }
     // Allocate space for this as well as null-terminating entry.
     LPITEMIDLIST newPIDL = (LPITEMIDLIST)pMalloc->Alloc(cb + sizeof(SHITEMID));
 
@@ -433,6 +436,9 @@
     int len1 = pidlLength(parentPIDL);
     int len2 = pidlLength(relativePIDL);
 
+    if (!IS_SAFE_SIZE_ADD(len1, len2) || !IS_SAFE_SIZE_ADD(len1 + len2, sizeof(SHITEMID))) {
+        return 0;
+    }
     LPITEMIDLIST newPIDL = (LPITEMIDLIST)pMalloc->Alloc(len1 + len2 + sizeof(SHITEMID));
     memcpy(newPIDL, parentPIDL, len1);
     memcpy(((LPBYTE) newPIDL) + len1, relativePIDL, len2);
--- a/src/windows/native/sun/windows/WPrinterJob.cpp	Thu Mar 21 18:27:25 2013 +0100
+++ b/src/windows/native/sun/windows/WPrinterJob.cpp	Thu Mar 21 10:49:14 2013 -0700
@@ -810,7 +810,7 @@
       int numSizes = ::DeviceCapabilities(printerName, printerPort,
                                           DC_PAPERS, NULL, NULL);
       if (numSizes > 0) {
-          LPTSTR papers = (LPTSTR)safe_Malloc(numSizes * sizeof(WORD));
+          LPTSTR papers = (LPTSTR)SAFE_SIZE_ARRAY_ALLOC(safe_Malloc, numSizes, sizeof(WORD));
           if (papers != NULL &&
               ::DeviceCapabilities(printerName, printerPort,
                                    DC_PAPERS, papers, NULL) != -1) {
--- a/src/windows/native/sun/windows/alloc.h	Thu Mar 21 18:27:25 2013 +0100
+++ b/src/windows/native/sun/windows/alloc.h	Thu Mar 21 10:49:14 2013 -0700
@@ -35,6 +35,9 @@
     class bad_alloc {};
 }
 
+#define SIZECALC_ALLOC_THROWING_BAD_ALLOC
+#include "sizecalc.h"
+
 class awt_toolkit_shutdown {};
 
 // Disable "C++ Exception Specification ignored" warnings.
--- a/src/windows/native/sun/windows/awt.h	Thu Mar 21 18:27:25 2013 +0100
+++ b/src/windows/native/sun/windows/awt.h	Thu Mar 21 10:49:14 2013 -0700
@@ -326,7 +326,7 @@
         m_dwSize = cbTCharCount;
         m_pStr = (0 == m_dwSize)
             ? NULL
-            : (LPWSTR)safe_Malloc( (m_dwSize+1)*sizeof(WCHAR) );
+            : (LPWSTR)SAFE_SIZE_ARRAY_ALLOC(safe_Malloc, (m_dwSize+1), sizeof(WCHAR) );
     }
 
     JavaStringBuffer(JNIEnv *env, jstring text) {
@@ -336,7 +336,7 @@
         if (0 == m_dwSize) {
             m_pStr = NULL;
         } else {
-            m_pStr = (LPWSTR)safe_Malloc( (m_dwSize+1)*sizeof(WCHAR) );
+            m_pStr = (LPWSTR)SAFE_SIZE_ARRAY_ALLOC(safe_Malloc, (m_dwSize+1), sizeof(WCHAR) );
             env->GetStringRegion(text, 0, m_dwSize, reinterpret_cast<jchar *>(m_pStr));
             m_pStr[m_dwSize] = 0;
         }
@@ -353,7 +353,7 @@
         //The function is used only for space reservation in staff buffer for
         //followed data copying process. And that is the reason why we ignore
         //the special case m_dwSize==0 here.
-        m_pStr = (LPWSTR)safe_Realloc(m_pStr, (m_dwSize+1)*sizeof(WCHAR) );
+        m_pStr = (LPWSTR)SAFE_SIZE_ARRAY_REALLOC(safe_Realloc, m_pStr, m_dwSize+1, sizeof(WCHAR) );
     }
     //we are in UNICODE now, so LPWSTR:=:LPTSTR
     operator LPWSTR() { return getNonEmptyString(); }
--- a/src/windows/native/sun/windows/awt_BitmapUtil.cpp	Thu Mar 21 18:27:25 2013 +0100
+++ b/src/windows/native/sun/windows/awt_BitmapUtil.cpp	Thu Mar 21 10:49:14 2013 -0700
@@ -39,13 +39,13 @@
 HBITMAP BitmapUtil::CreateTransparencyMaskFromARGB(int width, int height, int* imageData)
 {
     //Scan lines should be aligned to word boundary
-    int bufLength = ((width + 15) / 16 * 2) * height;//buf length (bytes)
+    if (!IS_SAFE_SIZE_ADD(width, 15)) return NULL;
+    char* buf = SAFE_SIZE_NEW_ARRAY2(char, (width + 15) / 16 * 2, height);
+    if (buf == NULL) return NULL;
     int* srcPos = imageData;
-    char* buf = new char[bufLength];
     char* bufPos = buf;
     int tmp = 0;
     int cbit = 0x80;
-    if (buf == NULL) return NULL;
     for (int i = 0; i < height; i++) {
         for (int j = 0; j < width; j++) {
             //cbit is shifted right for every pixel
@@ -251,8 +251,12 @@
             reinterpret_cast<BITMAPINFO*>(&bi), DIB_RGB_COLORS);
 
     /* reserving memory for the worst case */
-    RGNDATA * pRgnData = (RGNDATA *) safe_Malloc(sizeof(RGNDATAHEADER) +
-            sizeof(RECT) * (width / 2 + 1) * height);
+    if (!IS_SAFE_SIZE_MUL(width / 2 + 1, height)) {
+        throw std::bad_alloc();
+    }
+    RGNDATA * pRgnData = (RGNDATA *) SAFE_SIZE_STRUCT_ALLOC(safe_Malloc,
+            sizeof(RGNDATAHEADER),
+            sizeof(RECT), (width / 2 + 1) * height);
     RGNDATAHEADER * pRgnHdr = (RGNDATAHEADER *) pRgnData;
     pRgnHdr->dwSize = sizeof(RGNDATAHEADER);
     pRgnHdr->iType = RDH_RECTANGLES;
--- a/src/windows/native/sun/windows/awt_Component.cpp	Thu Mar 21 18:27:25 2013 +0100
+++ b/src/windows/native/sun/windows/awt_Component.cpp	Thu Mar 21 10:49:14 2013 -0700
@@ -2184,12 +2184,12 @@
         if (insets != NULL) {
             ::OffsetRgn(rgn, insets->left, insets->top);
         }
-        int size = ::GetRegionData(rgn, 0, NULL);
+        DWORD size = ::GetRegionData(rgn, 0, NULL);
         if (size == 0) {
             ::DeleteObject((HGDIOBJ)rgn);
             return;
         }
-        char* buffer = new char[size];
+        char* buffer = new char[size]; // safe because sizeof(char)==1
         memset(buffer, 0, size);
         LPRGNDATA rgndata = (LPRGNDATA)buffer;
         rgndata->rdh.dwSize = sizeof(RGNDATAHEADER);
@@ -6114,18 +6114,30 @@
         c = (AwtComponent *)pData;
         if (::IsWindow(c->GetHWnd())) {
             HRGN hRgn = NULL;
+
+            // If all the params are zeros, the shape must be simply reset.
+            // Otherwise, convert it into a region.
             if (region || x1 || x2 || y1 || y2) {
-                // If all the params are zeros, the shape must be simply reset.
-                // Otherwise, convert it into a region.
-                RGNDATA *pRgnData = NULL;
-                RGNDATAHEADER *pRgnHdr;
-
-                /* reserving memory for the worst case */
-                size_t worstBufferSize = size_t(((x2 - x1) / 2 + 1) * (y2 - y1));
-                pRgnData = (RGNDATA *) safe_Malloc(sizeof(RGNDATAHEADER) +
-                        sizeof(RECT_T) * worstBufferSize);
-                pRgnHdr = (RGNDATAHEADER *) pRgnData;
-
+                RECT_T rects[256];
+                RECT_T *pRect = rects;
+
+                const int numrects = RegionToYXBandedRectangles(env, x1, y1, x2, y2,
+                        region, &pRect, sizeof(rects)/sizeof(rects[0]));
+                if (!pRect) {
+                    // RegionToYXBandedRectangles doesn't use safe_Malloc(),
+                    // so throw the exception explicitly
+                    throw std::bad_alloc();
+                }
+
+                RGNDATA *pRgnData = (RGNDATA *) SAFE_SIZE_STRUCT_ALLOC(safe_Malloc,
+                        sizeof(RGNDATAHEADER), sizeof(RECT_T), numrects);
+                memcpy(pRgnData + sizeof(RGNDATAHEADER), pRect, sizeof(RECT_T) * numrects);
+                if (pRect != rects) {
+                    free(pRect);
+                }
+                pRect = NULL;
+
+                RGNDATAHEADER *pRgnHdr = (RGNDATAHEADER *) pRgnData;
                 pRgnHdr->dwSize = sizeof(RGNDATAHEADER);
                 pRgnHdr->iType = RDH_RECTANGLES;
                 pRgnHdr->nRgnSize = 0;
@@ -6133,9 +6145,7 @@
                 pRgnHdr->rcBound.left = 0;
                 pRgnHdr->rcBound.bottom = LONG(y2 - y1);
                 pRgnHdr->rcBound.right = LONG(x2 - x1);
-
-                RECT_T * pRect = (RECT_T *) (((BYTE *) pRgnData) + sizeof(RGNDATAHEADER));
-                pRgnHdr->nCount = RegionToYXBandedRectangles(env, x1, y1, x2, y2, region, &pRect, worstBufferSize);
+                pRgnHdr->nCount = numrects;
 
                 hRgn = ::ExtCreateRegion(NULL,
                         sizeof(RGNDATAHEADER) + sizeof(RECT_T) * pRgnHdr->nCount, pRgnData);
@@ -6277,7 +6287,7 @@
     jint * tmp = env->GetIntArrayElements(obj, JNI_FALSE);
 
     jsize len = env->GetArrayLength(obj);
-    AwtComponent::masks = new jint[len];
+    AwtComponent::masks = SAFE_SIZE_NEW_ARRAY(jint, len);
     for (int i = 0; i < len; i++) {
         AwtComponent::masks[i] = tmp[i];
     }
@@ -7164,3 +7174,4 @@
         delete tmpDCList;
     }
 }
+
--- a/src/windows/native/sun/windows/awt_Cursor.cpp	Thu Mar 21 18:27:25 2013 +0100
+++ b/src/windows/native/sun/windows/awt_Cursor.cpp	Thu Mar 21 10:49:14 2013 -0700
@@ -345,14 +345,14 @@
         return;
     }
 
-    int length = env->GetArrayLength(andMask);
-    jbyte *andMaskPtr = new jbyte[length];
+    jsize length = env->GetArrayLength(andMask);
+    jbyte *andMaskPtr = new jbyte[length]; // safe because sizeof(jbyte)==1
     env->GetByteArrayRegion(andMask, 0, length, andMaskPtr);
 
     HBITMAP hMask = ::CreateBitmap(nW, nH, 1, 1, (BYTE *)andMaskPtr);
     ::GdiFlush();
 
-    int *cols = new int[nW*nH];
+    int *cols = SAFE_SIZE_NEW_ARRAY2(int, nW, nH);
 
     jint *intRasterDataPtr = NULL;
     HBITMAP hColor = NULL;
--- a/src/windows/native/sun/windows/awt_DataTransferer.cpp	Thu Mar 21 18:27:25 2013 +0100
+++ b/src/windows/native/sun/windows/awt_DataTransferer.cpp	Thu Mar 21 10:49:14 2013 -0700
@@ -282,13 +282,13 @@
         }
 
         UINT bufsize = 512; // in characters, not in bytes
-        buffer = (LPTSTR)safe_Malloc(bufsize*sizeof(TCHAR));
+        buffer = (LPTSTR)SAFE_SIZE_ARRAY_ALLOC(safe_Malloc, bufsize, sizeof(TCHAR));
 
         for (UINT i = 0; i < nFilenames; i++) {
             UINT size = ::DragQueryFile(hdrop, i, NULL, 0);
             if (size > bufsize) {
                 bufsize = size;
-                buffer = (LPTSTR)safe_Realloc(buffer, bufsize*sizeof(TCHAR));
+                buffer = (LPTSTR)SAFE_SIZE_ARRAY_REALLOC(safe_Realloc, buffer, bufsize, sizeof(TCHAR));
             }
             ::DragQueryFile(hdrop, i, buffer, bufsize);
 
@@ -360,7 +360,7 @@
         return NULL;
     }
 
-    jbyte* bBytes = (jbyte*)safe_Malloc(size * sizeof(jbyte));
+    jbyte* bBytes = (jbyte*)SAFE_SIZE_ARRAY_ALLOC(safe_Malloc, size, sizeof(jbyte));
 
     try {
 
@@ -772,9 +772,9 @@
                         } else {
                             LPBYTE lpbMfBuffer = NULL;
                             try {
-                                UINT uMfSizeWithHead = uMfSize + sizeof(METAFILEPICT);
-
-                                lpbMfBuffer = (LPBYTE)safe_Malloc(uMfSizeWithHead);
+                                lpbMfBuffer = (LPBYTE)SAFE_SIZE_STRUCT_ALLOC(safe_Malloc,
+                                        sizeof(METAFILEPICT), uMfSize, 1);
+                                const UINT uMfSizeWithHead = uMfSize + sizeof(METAFILEPICT);
                                 VERIFY(::GetMetaFileBitsEx(hmf, uMfSize,
                                                             lpbMfBuffer + sizeof(METAFILEPICT)) == uMfSize);
                                 bytes = env->NewByteArray(uMfSizeWithHead);
--- a/src/windows/native/sun/windows/awt_DesktopProperties.cpp	Thu Mar 21 18:27:25 2013 +0100
+++ b/src/windows/native/sun/windows/awt_DesktopProperties.cpp	Thu Mar 21 10:49:14 2013 -0700
@@ -171,7 +171,7 @@
     if (*valueType == REG_EXPAND_SZ) {
         // Pending: buffer must be null-terminated at this point
         valueChar = ExpandEnvironmentStrings(buffer, NULL, 0);
-        LPTSTR buffer2 = (LPTSTR)safe_Malloc(valueChar*sizeof(TCHAR));
+        LPTSTR buffer2 = (LPTSTR)SAFE_SIZE_ARRAY_ALLOC(safe_Malloc, valueChar, sizeof(TCHAR));
         ExpandEnvironmentStrings(buffer, buffer2, valueChar);
         free(buffer);
         return buffer2;
@@ -588,11 +588,11 @@
     }
 
     LPTSTR valueName = TEXT("PlaceN");
-    LPTSTR valueNameBuf = (LPTSTR)safe_Malloc((lstrlen(valueName) + 1) * sizeof(TCHAR));
+    LPTSTR valueNameBuf = (LPTSTR)SAFE_SIZE_ARRAY_ALLOC(safe_Malloc, (lstrlen(valueName) + 1), sizeof(TCHAR));
     lstrcpy(valueNameBuf, valueName);
 
     LPTSTR propKey = TEXT("win.comdlg.placesBarPlaceN");
-    LPTSTR propKeyBuf = (LPTSTR)safe_Malloc((lstrlen(propKey) + 1) * sizeof(TCHAR));
+    LPTSTR propKeyBuf = (LPTSTR)SAFE_SIZE_ARRAY_ALLOC(safe_Malloc, (lstrlen(propKey) + 1), sizeof(TCHAR));
     lstrcpy(propKeyBuf, propKey);
 
     int i = 0;
--- a/src/windows/native/sun/windows/awt_DnDDT.cpp	Thu Mar 21 18:27:25 2013 +0100
+++ b/src/windows/native/sun/windows/awt_DnDDT.cpp	Thu Mar 21 10:49:14 2013 -0700
@@ -1037,8 +1037,8 @@
         if (m_dataObject->QueryGetData(&tmp) != S_OK) continue;
 
         if (m_nformats % CACHE_INCR == 0) {
-            m_formats = (FORMATETC *)safe_Realloc(m_formats,
-                                                  (CACHE_INCR + m_nformats) *
+            m_formats = (FORMATETC *)SAFE_SIZE_ARRAY_REALLOC(safe_Realloc, m_formats,
+                                                  CACHE_INCR + m_nformats,
                                                   sizeof(FORMATETC));
         }
 
--- a/src/windows/native/sun/windows/awt_InputMethod.cpp	Thu Mar 21 18:27:25 2013 +0100
+++ b/src/windows/native/sun/windows/awt_InputMethod.cpp	Thu Mar 21 10:49:14 2013 -0700
@@ -333,7 +333,7 @@
     // list which is returned by GetKeyboardLayoutList ensures to match first when
     // looking up suitable layout.
     int layoutCount = ::GetKeyboardLayoutList(0, NULL) + 1;  // +1 for user's preferred HKL
-    HKL FAR * hKLList = (HKL FAR *)safe_Malloc(sizeof(HKL)*layoutCount);
+    HKL FAR * hKLList = (HKL FAR *)SAFE_SIZE_ARRAY_ALLOC(safe_Malloc, sizeof(HKL), layoutCount);
     DASSERT(!safe_ExceptionOccurred(env));
     ::GetKeyboardLayoutList(layoutCount - 1, &(hKLList[1]));
     hKLList[0] = getDefaultKeyboardLayout(); // put user's preferred layout on top of the list
@@ -444,7 +444,7 @@
 
     // get list of available HKLs
     int layoutCount = ::GetKeyboardLayoutList(0, NULL);
-    HKL FAR * hKLList = (HKL FAR *)safe_Malloc(sizeof(HKL)*layoutCount);
+    HKL FAR * hKLList = (HKL FAR *)SAFE_SIZE_ARRAY_ALLOC(safe_Malloc, sizeof(HKL), layoutCount);
     DASSERT(!safe_ExceptionOccurred(env));
     ::GetKeyboardLayoutList(layoutCount, hKLList);
 
@@ -453,7 +453,7 @@
     int destIndex = 0;
     int javaLocaleNameCount = 0;
     int current = 0;
-    const char ** javaLocaleNames = (const char **)safe_Malloc(sizeof(char *)*layoutCount);
+    const char ** javaLocaleNames = (const char **)SAFE_SIZE_ARRAY_ALLOC(safe_Malloc, sizeof(char *), layoutCount);
     DASSERT(!safe_ExceptionOccurred(env));
     for (; srcIndex < layoutCount; srcIndex++) {
         const char * srcLocaleName = getJavaIDFromLangID(LOWORD(hKLList[srcIndex]));
@@ -517,7 +517,7 @@
     jstring infojStr = NULL;
 
     if ((buffSize = ::ImmGetDescription(hkl, szImmDescription, 0)) > 0) {
-        szImmDescription = (LPTSTR) safe_Malloc(buffSize * sizeof(TCHAR));
+        szImmDescription = (LPTSTR) SAFE_SIZE_ARRAY_ALLOC(safe_Malloc, (buffSize+1), sizeof(TCHAR));
 
         if (szImmDescription != NULL) {
             ImmGetDescription(hkl, szImmDescription, buffSize);
--- a/src/windows/native/sun/windows/awt_PrintControl.cpp	Thu Mar 21 18:27:25 2013 +0100
+++ b/src/windows/native/sun/windows/awt_PrintControl.cpp	Thu Mar 21 10:49:14 2013 -0700
@@ -484,8 +484,8 @@
                                               NULL, NULL);
 
     if (numPaperSizes > 0) {
-        papers = (WORD*)safe_Malloc(sizeof(WORD) * numPaperSizes);
-        paperSizes = (POINT *)safe_Malloc(sizeof(*paperSizes) *
+        papers = (WORD*)SAFE_SIZE_ARRAY_ALLOC(safe_Malloc, sizeof(WORD), numPaperSizes);
+        paperSizes = (POINT *)SAFE_SIZE_ARRAY_ALLOC(safe_Malloc, sizeof(*paperSizes),
                                           numPaperSizes);
 
         DWORD result1 = DeviceCapabilities(printer, port,
--- a/src/windows/native/sun/windows/awt_PrintJob.cpp	Thu Mar 21 18:27:25 2013 +0100
+++ b/src/windows/native/sun/windows/awt_PrintJob.cpp	Thu Mar 21 10:49:14 2013 -0700
@@ -433,7 +433,7 @@
         int measure = PSD_INTHOUSANDTHSOFINCHES;
         int sz = GetLocaleInfo(LOCALE_USER_DEFAULT, LOCALE_IMEASURE, NULL, 0);
         if (sz > 0) {
-          LPTSTR str = (LPTSTR)safe_Malloc(sizeof(TCHAR) * sz);
+          LPTSTR str = (LPTSTR)SAFE_SIZE_ARRAY_ALLOC(safe_Malloc, sizeof(TCHAR), sz);
           if (str != NULL) {
             sz = GetLocaleInfo(LOCALE_USER_DEFAULT, LOCALE_IMEASURE, str, sz);
             if (sz > 0) {
@@ -645,7 +645,7 @@
           int sz = GetLocaleInfo(LOCALE_USER_DEFAULT,
                                  LOCALE_IMEASURE, NULL, 0);
           if (sz > 0) {
-            LPTSTR str = (LPTSTR)safe_Malloc(sizeof(TCHAR) * sz);
+            LPTSTR str = (LPTSTR)SAFE_SIZE_ARRAY_ALLOC(safe_Malloc, sizeof(TCHAR), sz);
             if (str != NULL) {
               sz = GetLocaleInfo(LOCALE_USER_DEFAULT,
                                  LOCALE_IMEASURE, str, sz);
@@ -2302,8 +2302,8 @@
      * rounded advances will drift away from the true advance.
      */
     if (glyphPos != NULL && strLen > 0) {
-         xadvances = (int*)safe_Malloc(strLen * sizeof(int));
-         xyadvances = (int*)safe_Malloc(strLen * sizeof(int) * 2);
+         xadvances = (int*)SAFE_SIZE_ARRAY_ALLOC(safe_Malloc, strLen, sizeof(int));
+         xyadvances = (int*)SAFE_SIZE_ARRAY_ALLOC(safe_Malloc, strLen, sizeof(int) * 2);
     }
     if (xadvances != NULL && xyadvances != NULL) {
         int *inxAdvances = xadvances;
@@ -2513,8 +2513,9 @@
     if ((imgWidthByteSz % sizeof(DWORD)) != 0)
         padBytes = sizeof(DWORD) - (imgWidthByteSz % sizeof(DWORD));
 
+    jbyte* alignedImage = (jbyte*) SAFE_SIZE_ARRAY_ALLOC(safe_Malloc,
+            imgWidthByteSz+padBytes, ROUND_TO_LONG(srcHeight));
     long newImgSize = (imgWidthByteSz+padBytes) * ROUND_TO_LONG(srcHeight);
-    jbyte* alignedImage = (jbyte*) safe_Malloc(newImgSize);
 
     if (alignedImage != NULL) {
         memset(alignedImage, 0xff, newImgSize);
@@ -3116,7 +3117,7 @@
                                        DC_PAPERSIZE, NULL, NULL);
 
     if (numPaperSizes > 0) {
-        paperSizes = (POINT *)safe_Malloc(sizeof(*paperSizes) * numPaperSizes);
+        paperSizes = (POINT *)SAFE_SIZE_ARRAY_ALLOC(safe_Malloc, sizeof(*paperSizes), numPaperSizes);
 
         DWORD result = DeviceCapabilities(deviceName, portName,
                                           DC_PAPERSIZE, (LPTSTR) paperSizes,
@@ -3766,8 +3767,8 @@
     numPaperSizes = (int)DeviceCapabilities(printer, port, DC_PAPERSIZE,
                                             NULL, NULL);
     if (numPaperSizes > 0) {
-        papers = (WORD*)safe_Malloc(sizeof(WORD) * numPaperSizes);
-        paperSizes = (POINT *)safe_Malloc(sizeof(*paperSizes) * numPaperSizes);
+        papers = (WORD*)SAFE_SIZE_ARRAY_ALLOC(safe_Malloc, sizeof(WORD), numPaperSizes);
+        paperSizes = (POINT *)SAFE_SIZE_ARRAY_ALLOC(safe_Malloc, sizeof(*paperSizes), numPaperSizes);
 
         DWORD result1 = DeviceCapabilities(printer, port,
                                            DC_PAPERS, (LPTSTR) papers, NULL);
--- a/src/windows/native/sun/windows/awt_Robot.cpp	Thu Mar 21 18:27:25 2013 +0100
+++ b/src/windows/native/sun/windows/awt_Robot.cpp	Thu Mar 21 10:49:14 2013 -0700
@@ -234,7 +234,9 @@
     static const int BITS_PER_PIXEL = 32;
     static const int BYTES_PER_PIXEL = BITS_PER_PIXEL/8;
 
+    if (!IS_SAFE_SIZE_MUL(width, height)) throw std::bad_alloc();
     int numPixels = width*height;
+    if (!IS_SAFE_SIZE_MUL(BYTES_PER_PIXEL, numPixels)) throw std::bad_alloc();
     int pixelDataSize = BYTES_PER_PIXEL*numPixels;
     DASSERT(pixelDataSize > 0 && pixelDataSize % 4 == 0);
     // allocate memory for BITMAPINFO + pixel data
@@ -244,6 +246,9 @@
     // end of our block of memory.  Now we allocate sufficient memory.
     // See MSDN docs for BITMAPINFOHEADER -bchristi
 
+    if (!IS_SAFE_SIZE_ADD(sizeof(BITMAPINFOHEADER) + 3 * sizeof(RGBQUAD), pixelDataSize)) {
+        throw std::bad_alloc();
+    }
     BITMAPINFO * pinfo = (BITMAPINFO *)(new BYTE[sizeof(BITMAPINFOHEADER) + 3 * sizeof(RGBQUAD) + pixelDataSize]);
 
     // pixel data starts after 3 RGBQUADS for color masks