OpenJDK / portola / portola
changeset 2610:9856ea68e32b
6804998: JRE GIF Decoding Heap Corruption [V-y6g5jlm8e1]
Reviewed-by: prr
| author | bae |
|---|---|
| date | Thu, 05 Mar 2009 19:36:51 +0300 |
| parents | 1db65c97bddc |
| children | c22bf553c819 |
| files | jdk/src/share/classes/sun/awt/image/GifImageDecoder.java jdk/src/share/native/sun/awt/image/gif/gifdecoder.c |
| diffstat | 2 files changed, 14 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/jdk/src/share/classes/sun/awt/image/GifImageDecoder.java Tue Mar 03 16:10:37 2009 -0800 +++ b/jdk/src/share/classes/sun/awt/image/GifImageDecoder.java Thu Mar 05 19:36:51 2009 +0300 @@ -585,9 +585,16 @@ System.out.print("Reading a " + width + " by " + height + " " + (interlace ? "" : "non-") + "interlaced image..."); } - + int initCodeSize = ExtractByte(block, 9); + if (initCodeSize >= 12) { + if (verbose) { + System.out.println("Invalid initial code size: " + + initCodeSize); + } + return false; + } boolean ret = parseImage(x, y, width, height, - interlace, ExtractByte(block, 9), + interlace, initCodeSize, block, rasline, model); if (!ret) {
--- a/jdk/src/share/native/sun/awt/image/gif/gifdecoder.c Tue Mar 03 16:10:37 2009 -0800 +++ b/jdk/src/share/native/sun/awt/image/gif/gifdecoder.c Thu Mar 05 19:36:51 2009 +0300 @@ -191,6 +191,11 @@ int passht = passinc; int len; + /* We have verified the initial code size on the java layer. + * Here we just check bounds for particular indexes. */ + if (freeCode >= 4096 || maxCode >= 4096) { + return 0; + } if (blockh == 0 || raslineh == 0 || prefixh == 0 || suffixh == 0 || outCodeh == 0)