6804998: JRE GIF Decoding Heap Corruption [V-y6g5jlm8e1]

Reviewed-by: prr
2009-03-05 19:36:51 +03:00 · 2009-03-05 19:36:51 +03:00 · d033b16582
commit d033b16582
parent de4c8e0eb5
2 changed files with 14 additions and 2 deletions
--- a/jdk/src/share/classes/sun/awt/image/GifImageDecoder.java
+++ b/jdk/src/share/classes/sun/awt/image/GifImageDecoder.java
@ -585,9 +585,16 @@ public class GifImageDecoder extends ImageDecoder {
            System.out.print("Reading a " + width + " by " + height + " " +
                      (interlace ? "" : "non-") + "interlaced image...");
        }
-
+        int initCodeSize = ExtractByte(block, 9);
+        if (initCodeSize >= 12) {
+            if (verbose) {
+                System.out.println("Invalid initial code size: " +
+                                   initCodeSize);
+            }
+            return false;
+        }
        boolean ret = parseImage(x, y, width, height,
-                                 interlace, ExtractByte(block, 9),
+                                 interlace, initCodeSize,
                                 block, rasline, model);

        if (!ret) {
--- a/jdk/src/share/native/sun/awt/image/gif/gifdecoder.c
+++ b/jdk/src/share/native/sun/awt/image/gif/gifdecoder.c
@ -191,6 +191,11 @@ Java_sun_awt_image_GifImageDecoder_parseImage(JNIEnv *env,
    int passht = passinc;
    int len;

+    /* We have verified the initial code size on the java layer.
+     * Here we just check bounds for particular indexes. */
+    if (freeCode >= 4096 || maxCode >= 4096) {
+        return 0;
+    }
    if (blockh == 0 || raslineh == 0
        || prefixh == 0 || suffixh == 0
        || outCodeh == 0)