From 25977969248df62760f2a48d5b7ce879b0f2a323 Mon Sep 17 00:00:00 2001
From: Andrew Brygin <bae@openjdk.org>
Date: Fri, 19 Feb 2010 22:30:52 +0300
Subject: [PATCH] 6899653: Sun Java Runtime CMM readMabCurveData Buffer
 Overflow Vulnerability

Reviewed-by: prr, hawtin
---
 jdk/src/share/native/sun/java2d/cmm/lcms/cmsio1.c   | 3 +++
 jdk/src/share/native/sun/java2d/cmm/lcms/cmsxform.c | 4 ++++
 2 files changed, 7 insertions(+)

diff --git a/jdk/src/share/native/sun/java2d/cmm/lcms/cmsio1.c b/jdk/src/share/native/sun/java2d/cmm/lcms/cmsio1.c
index 16aec6c5362..c105c1c4b09 100644
--- a/jdk/src/share/native/sun/java2d/cmm/lcms/cmsio1.c
+++ b/jdk/src/share/native/sun/java2d/cmm/lcms/cmsio1.c
@@ -1433,6 +1433,9 @@ LPLUT LCMSEXPORT cmsReadICCLut(cmsHPROFILE hProfile, icTagSignature sig)
 
     // If is in memory, the LUT is already there, so throw a copy
     if (Icc -> TagPtrs[n]) {
+        if (!_cmsValidateLUT((LPLUT) Icc ->TagPtrs[n])) {
+            return NULL;
+        }
 
         return cmsDupLUT((LPLUT) Icc ->TagPtrs[n]);
     }
diff --git a/jdk/src/share/native/sun/java2d/cmm/lcms/cmsxform.c b/jdk/src/share/native/sun/java2d/cmm/lcms/cmsxform.c
index ec37bebb1e3..8bf955435f4 100644
--- a/jdk/src/share/native/sun/java2d/cmm/lcms/cmsxform.c
+++ b/jdk/src/share/native/sun/java2d/cmm/lcms/cmsxform.c
@@ -1969,6 +1969,10 @@ cmsHTRANSFORM LCMSEXPORT cmsCreateMultiprofileTransform(cmsHPROFILE hProfiles[],
                 goto ErrorCleanup;
         }
 
+        if (Transforms[i] == NULL) {
+            cmsSignalError(LCMS_ERRC_ABORTED, "cmsCreateMultiprofileTransform: unable to create transform");
+            goto ErrorCleanup;
+        }
         CurrentColorSpace = ColorSpaceOut;
 
     }