changeset 2907:32cac17b629e

6963489: ZDI-CAN-803: Sun JRE ICC Profile Device Information Tag Remote Code Execution Vulnerability Reviewed-by: prr
author bae
date Thu, 01 Jul 2010 12:04:14 +0400
parents b2e9e8d1805c
children 0dbecf98ed6d
files src/share/native/sun/java2d/cmm/lcms/LCMS.c src/share/native/sun/java2d/cmm/lcms/cmsxform.c
diffstat 2 files changed, 8 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/native/sun/java2d/cmm/lcms/LCMS.c	Wed Jun 30 16:24:37 2010 +0100
+++ b/src/share/native/sun/java2d/cmm/lcms/LCMS.c	Thu Jul 01 12:04:14 2010 +0400
@@ -190,12 +190,13 @@
                                        "sTrans.xf == NULL");
         JNU_ThrowByName(env, "java/awt/color/CMMException",
                         "Cannot get color transform");
+    } else {
+        Disposer_AddRecord(env, disposerRef, LCMS_freeTransform, sTrans.j);
     }
 
     if (iccArray != &_iccArray[0]) {
         free(iccArray);
     }
-    Disposer_AddRecord(env, disposerRef, LCMS_freeTransform, sTrans.j);
     return sTrans.j;
 }
 
--- a/src/share/native/sun/java2d/cmm/lcms/cmsxform.c	Wed Jun 30 16:24:37 2010 +0100
+++ b/src/share/native/sun/java2d/cmm/lcms/cmsxform.c	Thu Jul 01 12:04:14 2010 +0400
@@ -687,6 +687,9 @@
                 LPGAMMATABLE Shapes1[3];
 
                 GrayTRC = cmsReadICCGamma(hProfile, icSigGrayTRCTag);
+                if (!GrayTRC) {
+                    return NULL;
+                }
                 FromLstarToXYZ(GrayTRC, Shapes1);
 
                 // Reversing must be done after curve translation
@@ -703,6 +706,9 @@
                 // Normal case
 
                 GrayTRC = cmsReadICCGammaReversed(hProfile, icSigGrayTRCTag);   // Y
+                if (!GrayTRC) {
+                    return NULL;
+                }
 
                 Shapes[0] = cmsDupGamma(GrayTRC);
                 Shapes[1] = cmsDupGamma(GrayTRC);