diff --git a/src/java.desktop/share/native/libmlib_image/mlib_ImageConvMxN_Fp.c b/src/java.desktop/share/native/libmlib_image/mlib_ImageConvMxN_Fp.c index fa9a186d6d7..bc2df9b0b1a 100644 --- a/src/java.desktop/share/native/libmlib_image/mlib_ImageConvMxN_Fp.c +++ b/src/java.desktop/share/native/libmlib_image/mlib_ImageConvMxN_Fp.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2025, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -76,6 +76,7 @@ #include "mlib_ImageCheck.h" #include "mlib_SysMath.h" #include "mlib_ImageConv.h" +#include "safe_math.h" /***************************************************************/ static void mlib_ImageConvMxNMulAdd_F32(mlib_f32 *dst, @@ -272,6 +273,9 @@ mlib_status mlib_convMxNext_f32(mlib_image *dst, mlib_s32 nch = mlib_ImageGetChannels(dst); mlib_s32 i, j, j1, k; + if (!SAFE_TO_MULT(3, wid_e) || !SAFE_TO_ADD(3 * wid_e, m)) { + return MLIB_FAILURE; + } if (3 * wid_e + m > 1024) { dsa = mlib_malloc((3 * wid_e + m) * sizeof(mlib_d64)); @@ -629,6 +633,9 @@ mlib_status mlib_convMxNext_d64(mlib_image *dst, mlib_s32 nch = mlib_ImageGetChannels(dst); mlib_s32 i, j, j1, k; + if (!SAFE_TO_MULT(3, wid_e) || !SAFE_TO_ADD(3 * wid_e, m)) { + return MLIB_FAILURE; + } if (3 * wid_e + m > 1024) { dsa = mlib_malloc((3 * wid_e + m) * sizeof(mlib_d64)); diff --git a/src/java.desktop/share/native/libmlib_image/mlib_ImageConvMxN_ext.c b/src/java.desktop/share/native/libmlib_image/mlib_ImageConvMxN_ext.c index ee15935dcfe..5869b0a54af 100644 --- a/src/java.desktop/share/native/libmlib_image/mlib_ImageConvMxN_ext.c +++ b/src/java.desktop/share/native/libmlib_image/mlib_ImageConvMxN_ext.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2025, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -82,6 +82,7 @@ #include "mlib_image.h" #include "mlib_ImageConv.h" +#include "safe_math.h" /***************************************************************/ static void mlib_ImageConvMxNMulAdd_S32(mlib_d64 *dst, @@ -229,6 +230,9 @@ mlib_status mlib_convMxNext_s32(mlib_image *dst, /* internal buffer */ + if (!SAFE_TO_MULT(3, wid_e) || !SAFE_TO_ADD(3 * wid_e, m)) { + return MLIB_FAILURE; + } if (3 * wid_e + m > 1024) { dsa = mlib_malloc((3 * wid_e + m) * sizeof(mlib_d64)); diff --git a/src/java.desktop/share/native/libmlib_image/mlib_ImageConv_16ext.c b/src/java.desktop/share/native/libmlib_image/mlib_ImageConv_16ext.c index 57486b1cae5..00469d25719 100644 --- a/src/java.desktop/share/native/libmlib_image/mlib_ImageConv_16ext.c +++ b/src/java.desktop/share/native/libmlib_image/mlib_ImageConv_16ext.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2025, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -33,6 +33,7 @@ #include "mlib_image.h" #include "mlib_ImageConv.h" #include "mlib_c_ImageConv.h" +#include "safe_math.h" /* * This define switches between functions of different data types @@ -260,8 +261,14 @@ static mlib_status mlib_ImageConv1xN_ext(mlib_image *dst, if (max_hsize > hgt) max_hsize = hgt; shgt = hgt + (n - 1); + if (!SAFE_TO_ADD(max_hsize, (n - 1))) { + return MLIB_FAILURE; + } smax_hsize = max_hsize + (n - 1); + if (!SAFE_TO_ADD(smax_hsize, 1) || !SAFE_TO_MULT(2, (smax_hsize + 1))) { + return MLIB_FAILURE; + } bsize = 2 * (smax_hsize + 1); if (bsize > BUFF_SIZE) { @@ -509,8 +516,16 @@ mlib_status CONV_FUNC_MxN FREE_AND_RETURN_STATUS; } + if (!SAFE_TO_ADD(wid, (m - 1))) { + status = MLIB_FAILURE; + FREE_AND_RETURN_STATUS; + } swid = wid + (m - 1); + if (!SAFE_TO_MULT((n + 3), swid)) { + status = MLIB_FAILURE; + FREE_AND_RETURN_STATUS; + } bsize = (n + 3)*swid; if ((bsize > BUFF_SIZE) || (n > MAX_N)) { @@ -919,8 +934,14 @@ mlib_status CONV_FUNC_MxN_I chan1 = nchannel; chan2 = chan1 + chan1; + if (!SAFE_TO_ADD(wid, (m - 1))) { + return MLIB_FAILURE; + } swid = wid + (m - 1); + if (!SAFE_TO_MULT((n + 2), swid)) { + return MLIB_FAILURE; + } bsize = (n + 2)*swid; if ((bsize > BUFF_SIZE) || (n > MAX_N)) { diff --git a/src/java.desktop/share/native/libmlib_image/mlib_ImageConv_16nw.c b/src/java.desktop/share/native/libmlib_image/mlib_ImageConv_16nw.c index 3b6985b7876..2e035d12453 100644 --- a/src/java.desktop/share/native/libmlib_image/mlib_ImageConv_16nw.c +++ b/src/java.desktop/share/native/libmlib_image/mlib_ImageConv_16nw.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2025, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -32,6 +32,7 @@ #include "mlib_image.h" #include "mlib_c_ImageConv.h" +#include "safe_math.h" /* This define switches between functions of different data types @@ -466,6 +467,10 @@ mlib_status CONV_FUNC(MxN)(mlib_image *dst, FREE_AND_RETURN_STATUS; } + if (!SAFE_TO_MULT((n + 3), wid)) { + status = MLIB_FAILURE; + FREE_AND_RETURN_STATUS; + } bsize = (n + 3)*wid; if ((bsize > BUFF_SIZE) || (n > MAX_N)) { diff --git a/src/java.desktop/share/native/libmlib_image/mlib_ImageConv_32nw.c b/src/java.desktop/share/native/libmlib_image/mlib_ImageConv_32nw.c index 380ed044878..bb264d9dcd2 100644 --- a/src/java.desktop/share/native/libmlib_image/mlib_ImageConv_32nw.c +++ b/src/java.desktop/share/native/libmlib_image/mlib_ImageConv_32nw.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2025, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -33,6 +33,7 @@ #include "mlib_image.h" #include "mlib_ImageConv.h" +#include "safe_math.h" /***************************************************************/ #define CACHE_SIZE (64*1024) @@ -335,6 +336,10 @@ mlib_status CONV_FUNC(MxN)(mlib_image *dst, FREE_AND_RETURN_STATUS; } + if (!SAFE_TO_MULT((n + 2), wid)) { + status = MLIB_FAILURE; + FREE_AND_RETURN_STATUS; + } bsize = (n + 2)*wid; if ((bsize > BUFF_SIZE) || (n > MAX_N)) { diff --git a/src/java.desktop/share/native/libmlib_image/mlib_ImageConv_8ext.c b/src/java.desktop/share/native/libmlib_image/mlib_ImageConv_8ext.c index c8b58e6f138..136d5a2b814 100644 --- a/src/java.desktop/share/native/libmlib_image/mlib_ImageConv_8ext.c +++ b/src/java.desktop/share/native/libmlib_image/mlib_ImageConv_8ext.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2025, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -33,6 +33,7 @@ #include "mlib_image.h" #include "mlib_ImageConv.h" #include "mlib_c_ImageConv.h" +#include "safe_math.h" /* * This define switches between functions of different data types @@ -245,8 +246,14 @@ static mlib_status mlib_ImageConv1xN_ext(mlib_image *dst, if (max_hsize > hgt) max_hsize = hgt; shgt = hgt + (n - 1); + if (!SAFE_TO_ADD(max_hsize, (n - 1))) { + return MLIB_FAILURE; + } smax_hsize = max_hsize + (n - 1); + if (!SAFE_TO_ADD(smax_hsize, 1) || !SAFE_TO_MULT(2, (smax_hsize + 1))) { + return MLIB_FAILURE; + } bsize = 2 * (smax_hsize + 1); if (bsize > BUFF_SIZE) { @@ -494,8 +501,16 @@ mlib_status CONV_FUNC_MxN FREE_AND_RETURN_STATUS; } + if (!SAFE_TO_ADD(wid, (m - 1))) { + status = MLIB_FAILURE; + FREE_AND_RETURN_STATUS; + } swid = wid + (m - 1); + if (!SAFE_TO_MULT((n + 3), swid)) { + status = MLIB_FAILURE; + FREE_AND_RETURN_STATUS; + } bsize = (n + 3)*swid; if ((bsize > BUFF_SIZE) || (n > MAX_N)) { @@ -904,8 +919,14 @@ mlib_status CONV_FUNC_MxN_I chan1 = nchannel; chan2 = chan1 + chan1; + if (!SAFE_TO_ADD(wid, (m - 1))) { + return MLIB_FAILURE; + } swid = wid + (m - 1); + if (!SAFE_TO_MULT((n + 2), swid)) { + return MLIB_FAILURE; + } bsize = (n + 2)*swid; if ((bsize > BUFF_SIZE) || (n > MAX_N)) { diff --git a/src/java.desktop/share/native/libmlib_image/mlib_ImageConv_8nw.c b/src/java.desktop/share/native/libmlib_image/mlib_ImageConv_8nw.c index f65fda45c58..c144404b0f4 100644 --- a/src/java.desktop/share/native/libmlib_image/mlib_ImageConv_8nw.c +++ b/src/java.desktop/share/native/libmlib_image/mlib_ImageConv_8nw.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2025, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -33,6 +33,7 @@ #include "mlib_image.h" #include "mlib_ImageConv.h" #include "mlib_c_ImageConv.h" +#include "safe_math.h" /* This define switches between functions of different data types @@ -467,6 +468,10 @@ mlib_status CONV_FUNC(MxN)(mlib_image *dst, FREE_AND_RETURN_STATUS; } + if (!SAFE_TO_MULT((n + 3), wid)) { + status = MLIB_FAILURE; + FREE_AND_RETURN_STATUS; + } bsize = (n + 3)*wid; if ((bsize > BUFF_SIZE) || (n > MAX_N)) { diff --git a/src/java.desktop/share/native/libmlib_image/mlib_ImageConv_u16ext.c b/src/java.desktop/share/native/libmlib_image/mlib_ImageConv_u16ext.c index b2757979a84..81a06f2fc28 100644 --- a/src/java.desktop/share/native/libmlib_image/mlib_ImageConv_u16ext.c +++ b/src/java.desktop/share/native/libmlib_image/mlib_ImageConv_u16ext.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2025, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -33,6 +33,7 @@ #include "mlib_image.h" #include "mlib_ImageConv.h" #include "mlib_c_ImageConv.h" +#include "safe_math.h" /* * This define switches between functions of different data types @@ -270,8 +271,14 @@ static mlib_status mlib_ImageConv1xN_ext(mlib_image *dst, if (max_hsize > hgt) max_hsize = hgt; shgt = hgt + (n - 1); + if (!SAFE_TO_ADD(max_hsize, (n - 1))) { + return MLIB_FAILURE; + } smax_hsize = max_hsize + (n - 1); + if (!SAFE_TO_ADD(smax_hsize, 1) || !SAFE_TO_MULT(2, (smax_hsize + 1))) { + return MLIB_FAILURE; + } bsize = 2 * (smax_hsize + 1); if (bsize > BUFF_SIZE) { @@ -519,8 +526,16 @@ mlib_status CONV_FUNC_MxN FREE_AND_RETURN_STATUS; } + if (!SAFE_TO_ADD(wid, (m - 1))) { + status = MLIB_FAILURE; + FREE_AND_RETURN_STATUS; + } swid = wid + (m - 1); + if (!SAFE_TO_MULT((n + 3), swid)) { + status = MLIB_FAILURE; + FREE_AND_RETURN_STATUS; + } bsize = (n + 3)*swid; if ((bsize > BUFF_SIZE) || (n > MAX_N)) { @@ -927,8 +942,14 @@ mlib_status CONV_FUNC_MxN_I chan1 = nchannel; chan2 = chan1 + chan1; + if (!SAFE_TO_ADD(wid, (m - 1))) { + return MLIB_FAILURE; + } swid = wid + (m - 1); + if (!SAFE_TO_MULT((n + 2), swid)) { + return MLIB_FAILURE; + } bsize = (n + 2)*swid; if ((bsize > BUFF_SIZE) || (n > MAX_N)) { diff --git a/src/java.desktop/share/native/libmlib_image/mlib_ImageConv_u16nw.c b/src/java.desktop/share/native/libmlib_image/mlib_ImageConv_u16nw.c index a3234cf8959..49412c7d7ef 100644 --- a/src/java.desktop/share/native/libmlib_image/mlib_ImageConv_u16nw.c +++ b/src/java.desktop/share/native/libmlib_image/mlib_ImageConv_u16nw.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2025, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -32,6 +32,7 @@ #include "mlib_image.h" #include "mlib_c_ImageConv.h" +#include "safe_math.h" /* This define switches between functions of different data types @@ -466,6 +467,10 @@ mlib_status CONV_FUNC(MxN)(mlib_image *dst, FREE_AND_RETURN_STATUS; } + if (!SAFE_TO_MULT((n + 3), wid)) { + status = MLIB_FAILURE; + FREE_AND_RETURN_STATUS; + } bsize = (n + 3)*wid; if ((bsize > BUFF_SIZE) || (n > MAX_N)) { diff --git a/src/java.desktop/share/native/libmlib_image/mlib_ImageLookUp_Bit.c b/src/java.desktop/share/native/libmlib_image/mlib_ImageLookUp_Bit.c index 2e77c20aa57..cfd5e3e671e 100644 --- a/src/java.desktop/share/native/libmlib_image/mlib_ImageLookUp_Bit.c +++ b/src/java.desktop/share/native/libmlib_image/mlib_ImageLookUp_Bit.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2025, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -50,6 +50,7 @@ #include "mlib_image.h" #include "mlib_ImageLookUp.h" +#include "safe_math.h" /***************************************************************/ #define MAX_WIDTH 512 @@ -302,6 +303,9 @@ mlib_status mlib_ImageLookUp_Bit_U8_2(const mlib_u8 *src, mlib_u8 *buff = (mlib_u8*)buff_lcl, *buffs; mlib_u32 val0, val1; + if (!SAFE_TO_MULT(xsize, 2)) { + return MLIB_FAILURE; + } size = xsize * 2; if (size > MAX_WIDTH) { @@ -440,6 +444,9 @@ mlib_status mlib_ImageLookUp_Bit_U8_3(const mlib_u8 *src, mlib_u8 *buff = (mlib_u8*)buff_lcl, *buffs; mlib_u32 l0, h0, v0, l1, h1, v1, l2, h2, v2; + if (!SAFE_TO_MULT(3, xsize)) { + return MLIB_FAILURE; + } size = 3 * xsize; if (size > MAX_WIDTH) { @@ -583,6 +590,9 @@ mlib_status mlib_ImageLookUp_Bit_U8_4(const mlib_u8 *src, mlib_u8 *buff = (mlib_u8*)buff_lcl, *buffs; mlib_u32 l, h; + if (!SAFE_TO_MULT(xsize, 4)) { + return MLIB_FAILURE; + } size = xsize * 4; if (size > MAX_WIDTH) { diff --git a/src/java.desktop/share/native/libmlib_image/mlib_ImageScanPoly.c b/src/java.desktop/share/native/libmlib_image/mlib_ImageScanPoly.c index a6f4cfdd36e..72adc212af6 100644 --- a/src/java.desktop/share/native/libmlib_image/mlib_ImageScanPoly.c +++ b/src/java.desktop/share/native/libmlib_image/mlib_ImageScanPoly.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2024, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2025, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -101,6 +101,11 @@ mlib_status mlib_AffineEdges(mlib_affine_param *param, return MLIB_FAILURE; } + int intSize = sizeof(mlib_s32); + if (!SAFE_TO_MULT(dstHeight, intSize) || + !SAFE_TO_ADD(dstHeight * intSize, 7)) { + return MLIB_FAILURE; + } bsize0 = (dstHeight * sizeof(mlib_s32) + 7) & ~7; if (lineAddr == NULL) { @@ -109,6 +114,10 @@ mlib_status mlib_AffineEdges(mlib_affine_param *param, param->buff_malloc = NULL; + if (!SAFE_TO_MULT(4, bsize0) || !SAFE_TO_ADD(4 * bsize0, bsize1)) { + return MLIB_FAILURE; + } + if ((4 * bsize0 + bsize1) > buff_size) { buff = param->buff_malloc = mlib_malloc(4 * bsize0 + bsize1);