6963489: ZDI-CAN-803: Sun JRE ICC Profile Device Information Tag Remote Code Execution Vulnerability

Reviewed-by: prr
2026-02-16 21:35:25 +00:00 · 2010-07-01 12:04:14 +04:00 · 2010-07-01 12:04:14 +04:00 · f34c8ae290
commit f34c8ae290
parent 3eec4fa41e
2 changed files with 8 additions and 1 deletions
--- a/jdk/src/share/native/sun/java2d/cmm/lcms/LCMS.c
+++ b/jdk/src/share/native/sun/java2d/cmm/lcms/LCMS.c
@ -190,12 +190,13 @@ JNIEXPORT jlong JNICALL Java_sun_java2d_cmm_lcms_LCMS_createNativeTransform
                                       "sTrans.xf == NULL");
        JNU_ThrowByName(env, "java/awt/color/CMMException",
                        "Cannot get color transform");
+    } else {
+        Disposer_AddRecord(env, disposerRef, LCMS_freeTransform, sTrans.j);
    }

    if (iccArray != &_iccArray[0]) {
        free(iccArray);
    }
-    Disposer_AddRecord(env, disposerRef, LCMS_freeTransform, sTrans.j);
    return sTrans.j;
 }

--- a/jdk/src/share/native/sun/java2d/cmm/lcms/cmsxform.c
+++ b/jdk/src/share/native/sun/java2d/cmm/lcms/cmsxform.c
@ -687,6 +687,9 @@ LPMATSHAPER cmsBuildGrayOutputMatrixShaper(cmsHPROFILE hProfile)
                LPGAMMATABLE Shapes1[3];

                GrayTRC = cmsReadICCGamma(hProfile, icSigGrayTRCTag);
+                if (!GrayTRC) {
+                    return NULL;
+                }
                FromLstarToXYZ(GrayTRC, Shapes1);

                // Reversing must be done after curve translation
@ -703,6 +706,9 @@ LPMATSHAPER cmsBuildGrayOutputMatrixShaper(cmsHPROFILE hProfile)
                // Normal case

                GrayTRC = cmsReadICCGammaReversed(hProfile, icSigGrayTRCTag);   // Y
+                if (!GrayTRC) {
+                    return NULL;
+                }

                Shapes[0] = cmsDupGamma(GrayTRC);
                Shapes[1] = cmsDupGamma(GrayTRC);