changeset 1836:34cc7663e7b8

6872357: JRE AWT setDifflCM vulnerable to Stack Overflow Reviewed-by: prr, hawtin
author bae
date Thu, 10 Sep 2009 12:50:09 +0400
parents 689874730539
children 1eff4e2de700
files src/share/native/sun/awt/image/awt_ImageRep.c
diffstat 1 files changed, 7 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/native/sun/awt/image/awt_ImageRep.c	Thu Sep 10 12:26:34 2009 +0400
+++ b/src/share/native/sun/awt/image/awt_ImageRep.c	Thu Sep 10 12:50:09 2009 +0400
@@ -266,6 +266,13 @@
     jnewlut = (*env)->GetObjectField(env, jicm, g_ICMrgbID);
     mapSize = (*env)->GetIntField(env, jicm, g_ICMmapSizeID);
 
+    if (numLut < 0 || numLut > 256 || mapSize < 0 || mapSize > 256) {
+        /* Ether old or new ICM has a palette that exceeds capacity
+           of byte data type, so we have to convert the image data
+           to default representation.
+        */
+        return 0;
+    }
     srcLUT = (unsigned int *) (*env)->GetPrimitiveArrayCritical(env, jlut,
                                                                 NULL);
     if (srcLUT == NULL) {