changeset 8869:2f8b9acb3035 8u60-b07

RT-40211: Untrusted native pointer in rt/modules/graphics/src/main/native-prism-sw/ Reviewed-by: kcr
author Chien Yang <chien.yang@oracle.com>
date Fri, 13 Mar 2015 14:21:16 -0700
parents dfb0540a3d26
children cbe942c0e3bb 810f1d69f8b7 0abffdf93afc
files modules/graphics/src/main/native-prism-sw/JAbstractSurface.c
diffstat 1 files changed, 20 insertions(+), 8 deletions(-) [+]
line wrap: on
line diff
--- a/modules/graphics/src/main/native-prism-sw/JAbstractSurface.c	Fri Mar 13 13:27:47 2015 -0700
+++ b/modules/graphics/src/main/native-prism-sw/JAbstractSurface.c	Fri Mar 13 14:21:16 2015 -0700
@@ -73,9 +73,15 @@
     CORRECT_DIMS(surface, x, y, width, height, dstX, dstY);
 
     if ((width > 0) && (height > 0)) {
-        jint* dstData = (jint*)(*env)->GetPrimitiveArrayCritical(env, 
-                                                                 arrayHandle,
-                                                                 NULL);
+        jint* dstData;
+        jsize dstDataLength = (*env)->GetArrayLength(env, arrayHandle);
+        jint dstStart = offset + dstY * scanLength + dstX;
+        jint dstEnd = dstStart + height * scanLength - 1;
+        if ((dstStart < 0) || (dstStart >= dstDataLength) || (dstEnd < 0) || (dstEnd >= dstDataLength)) {
+            JNI_ThrowNew(env, "java/lang/IllegalArgumentException", "Out of range access of buffer");
+            return;
+        }
+        dstData = (jint*)(*env)->GetPrimitiveArrayCritical(env, arrayHandle, NULL);
         if (dstData != NULL) {
             jint* src;
             jint* dst;
@@ -84,7 +90,7 @@
 
             ACQUIRE_SURFACE(surface, env, objectHandle);
             src = (jint*)surface->data + y * surface->width + x;
-            dst = dstData + offset + dstY * scanLength + dstX;
+            dst = dstData + dstStart;
             for (; height > 0; --height) {
                 jint w2 = width;
                 for (; w2 > 0; --w2) {
@@ -123,14 +129,20 @@
     CORRECT_DIMS(surface, x, y, width, height, srcX, srcY);
 
     if ((width > 0) && (height > 0)) {
-        jint* srcData = (jint*)(*env)->GetPrimitiveArrayCritical(env, 
-                                                                 arrayHandle,
-                                                                 NULL);
+        jint* srcData;
+        jsize srcDataLength = (*env)->GetArrayLength(env, arrayHandle);
+        jint srcStart = offset + srcY * scanLength + srcX;
+        jint srcEnd = srcStart + height * scanLength - 1;
+        if ((srcStart < 0) || (srcStart >= srcDataLength) || (srcEnd < 0) || (srcEnd >= srcDataLength)) {
+            JNI_ThrowNew(env, "java/lang/IllegalArgumentException", "out of range access of buffer");
+            return;
+        }
+        srcData = (jint*)(*env)->GetPrimitiveArrayCritical(env, arrayHandle, NULL);
         if (srcData != NULL) {
             jint* src;
 
             ACQUIRE_SURFACE(surface, env, objectHandle);
-            src = srcData + offset + srcY * scanLength + srcX;
+            src = srcData + srcStart;
             surface_setRGB(surface, x, y, width, height, src, scanLength);
             RELEASE_SURFACE(surface, env, objectHandle);