6899653: Sun Java Runtime CMM readMabCurveData Buffer Overflow Vulnerability

Reviewed-by: prr, hawtin

jdk/src/share/native/sun/java2d/cmm/lcms/cmsio1.c

@@ -1433,6 +1433,9 @@ LPLUT LCMSEXPORT cmsReadICCLut(cmsHPROFILE hProfile, icTagSignature sig)
 
     // If is in memory, the LUT is already there, so throw a copy
     if (Icc -> TagPtrs[n]) {
+        if (!_cmsValidateLUT((LPLUT) Icc ->TagPtrs[n])) {
+            return NULL;
+        }
 
         return cmsDupLUT((LPLUT) Icc ->TagPtrs[n]);
     }

jdk/src/share/native/sun/java2d/cmm/lcms/cmsxform.c

@@ -1969,6 +1969,10 @@ cmsHTRANSFORM LCMSEXPORT cmsCreateMultiprofileTransform(cmsHPROFILE hProfiles[],
                 goto ErrorCleanup;
         }
 
+        if (Transforms[i] == NULL) {
+            cmsSignalError(LCMS_ERRC_ABORTED, "cmsCreateMultiprofileTransform: unable to create transform");
+            goto ErrorCleanup;
+        }
         CurrentColorSpace = ColorSpaceOut;
 
     }