From 22f94de7e6abdcf00ef9893416ccf5c0c3436ab8 Mon Sep 17 00:00:00 2001
From: Andrew Brygin <bae@openjdk.org>
Date: Fri, 20 Feb 2009 13:48:32 +0300
Subject: [PATCH] 6804996: JWS PNG Decoding Integer Overflow [V-flrhat2ln8]

Reviewed-by: prr
---
 .../sun/awt/splashscreen/splashscreen_gif.c   |  4 ----
 .../sun/awt/splashscreen/splashscreen_impl.h  |  4 ++++
 .../sun/awt/splashscreen/splashscreen_png.c   | 23 +++++++++++++++++++
 3 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/jdk/src/share/native/sun/awt/splashscreen/splashscreen_gif.c b/jdk/src/share/native/sun/awt/splashscreen/splashscreen_gif.c
index 71bc3a3b39d..f1651ab1f49 100644
--- a/jdk/src/share/native/sun/awt/splashscreen/splashscreen_gif.c
+++ b/jdk/src/share/native/sun/awt/splashscreen/splashscreen_gif.c
@@ -53,10 +53,6 @@ static const char szNetscape20ext[11] = "NETSCAPE2.0";
 // convert libungif samples to our ones
 #define MAKE_QUAD_GIF(c,a) MAKE_QUAD((c).Red, (c).Green, (c).Blue, (a))
 
-#define SAFE_TO_ALLOC(c, sz)                                               \
-    (((c) > 0) && ((sz) > 0) &&                                            \
-     ((0xffffffffu / ((unsigned int)(c))) > (unsigned int)(sz)))
-
 /* stdio FILE* and memory input functions for libungif */
 int
 SplashStreamGifInputFunc(GifFileType * gif, GifByteType * buf, int n)
diff --git a/jdk/src/share/native/sun/awt/splashscreen/splashscreen_impl.h b/jdk/src/share/native/sun/awt/splashscreen/splashscreen_impl.h
index c6bad14c45a..6f4e03ef53e 100644
--- a/jdk/src/share/native/sun/awt/splashscreen/splashscreen_impl.h
+++ b/jdk/src/share/native/sun/awt/splashscreen/splashscreen_impl.h
@@ -155,6 +155,10 @@ int BitmapToYXBandedRectangles(ImageRect * pSrcRect, RECT_T * out);
 
 void SplashInitFrameShape(Splash * splash, int imageIndex);
 
+#define SAFE_TO_ALLOC(c, sz)                                               \
+    (((c) > 0) && ((sz) > 0) &&                                            \
+     ((0xffffffffu / ((unsigned int)(c))) > (unsigned int)(sz)))
+
 #define dbgprintf printf
 
 #endif
diff --git a/jdk/src/share/native/sun/awt/splashscreen/splashscreen_png.c b/jdk/src/share/native/sun/awt/splashscreen/splashscreen_png.c
index f0926ec90dc..abc54dcb753 100644
--- a/jdk/src/share/native/sun/awt/splashscreen/splashscreen_png.c
+++ b/jdk/src/share/native/sun/awt/splashscreen/splashscreen_png.c
@@ -103,9 +103,17 @@ SplashDecodePng(Splash * splash, png_rw_ptr read_func, void *io_ptr)
 
     rowbytes = png_get_rowbytes(png_ptr, info_ptr);
 
+    if (!SAFE_TO_ALLOC(rowbytes, height)) {
+        goto done;
+    }
+
     if ((image_data = (unsigned char *) malloc(rowbytes * height)) == NULL) {
         goto done;
     }
+
+    if (!SAFE_TO_ALLOC(height, sizeof(png_bytep))) {
+        goto done;
+    }
     if ((row_pointers = (png_bytepp) malloc(height * sizeof(png_bytep)))
             == NULL) {
         goto done;
@@ -121,13 +129,28 @@ SplashDecodePng(Splash * splash, png_rw_ptr read_func, void *io_ptr)
     splash->width = width;
     splash->height = height;
 
+    if (!SAFE_TO_ALLOC(splash->width, splash->imageFormat.depthBytes)) {
+        goto done;
+    }
     stride = splash->width * splash->imageFormat.depthBytes;
 
+    if (!SAFE_TO_ALLOC(splash->height, stride)) {
+        goto done;
+    }
     splash->frameCount = 1;
     splash->frames = (SplashImage *)
         malloc(sizeof(SplashImage) * splash->frameCount);
+
+    if (splash->frames == NULL) {
+        goto done;
+    }
+
     splash->loopCount = 1;
     splash->frames[0].bitmapBits = malloc(stride * splash->height);
+    if (splash->frames[0].bitmapBits == NULL) {
+        free(splash->frames);
+        goto done;
+    }
     splash->frames[0].delay = 0;
 
     /* FIXME: sort out the real format */