6804996: JWS PNG Decoding Integer Overflow [V-flrhat2ln8]

Reviewed-by: prr
2026-02-13 03:45:19 +00:00 · 2009-02-20 13:48:32 +03:00 · 2009-02-20 13:48:32 +03:00 · 22f94de7e6
commit 22f94de7e6
parent dcbd65a1c3
3 changed files with 27 additions and 4 deletions
--- a/jdk/src/share/native/sun/awt/splashscreen/splashscreen_gif.c
+++ b/jdk/src/share/native/sun/awt/splashscreen/splashscreen_gif.c
@ -53,10 +53,6 @@ static const char szNetscape20ext[11] = "NETSCAPE2.0";
 // convert libungif samples to our ones
 #define MAKE_QUAD_GIF(c,a) MAKE_QUAD((c).Red, (c).Green, (c).Blue, (a))

-#define SAFE_TO_ALLOC(c, sz)                                               \
-    (((c) > 0) && ((sz) > 0) &&                                            \
-     ((0xffffffffu / ((unsigned int)(c))) > (unsigned int)(sz)))
-
 /* stdio FILE* and memory input functions for libungif */
 int
 SplashStreamGifInputFunc(GifFileType * gif, GifByteType * buf, int n)
--- a/jdk/src/share/native/sun/awt/splashscreen/splashscreen_impl.h
+++ b/jdk/src/share/native/sun/awt/splashscreen/splashscreen_impl.h
@ -155,6 +155,10 @@ int BitmapToYXBandedRectangles(ImageRect * pSrcRect, RECT_T * out);

 void SplashInitFrameShape(Splash * splash, int imageIndex);

+#define SAFE_TO_ALLOC(c, sz)                                               \
+    (((c) > 0) && ((sz) > 0) &&                                            \
+     ((0xffffffffu / ((unsigned int)(c))) > (unsigned int)(sz)))
+
 #define dbgprintf printf

 #endif
--- a/jdk/src/share/native/sun/awt/splashscreen/splashscreen_png.c
+++ b/jdk/src/share/native/sun/awt/splashscreen/splashscreen_png.c
@ -103,9 +103,17 @@ SplashDecodePng(Splash * splash, png_rw_ptr read_func, void *io_ptr)

    rowbytes = png_get_rowbytes(png_ptr, info_ptr);

+    if (!SAFE_TO_ALLOC(rowbytes, height)) {
+        goto done;
+    }
+
    if ((image_data = (unsigned char *) malloc(rowbytes * height)) == NULL) {
        goto done;
    }
+
+    if (!SAFE_TO_ALLOC(height, sizeof(png_bytep))) {
+        goto done;
+    }
    if ((row_pointers = (png_bytepp) malloc(height * sizeof(png_bytep)))
            == NULL) {
        goto done;
@ -121,13 +129,28 @@ SplashDecodePng(Splash * splash, png_rw_ptr read_func, void *io_ptr)
    splash->width = width;
    splash->height = height;

+    if (!SAFE_TO_ALLOC(splash->width, splash->imageFormat.depthBytes)) {
+        goto done;
+    }
    stride = splash->width * splash->imageFormat.depthBytes;

+    if (!SAFE_TO_ALLOC(splash->height, stride)) {
+        goto done;
+    }
    splash->frameCount = 1;
    splash->frames = (SplashImage *)
        malloc(sizeof(SplashImage) * splash->frameCount);
+
+    if (splash->frames == NULL) {
+        goto done;
+    }
+
    splash->loopCount = 1;
    splash->frames[0].bitmapBits = malloc(stride * splash->height);
+    if (splash->frames[0].bitmapBits == NULL) {
+        free(splash->frames);
+        goto done;
+    }
    splash->frames[0].delay = 0;

    /* FIXME: sort out the real format */