From d033b16582b431ff568424feec7f7571cc619c3d Mon Sep 17 00:00:00 2001 From: Andrew Brygin Date: Thu, 5 Mar 2009 19:36:51 +0300 Subject: [PATCH] 6804998: JRE GIF Decoding Heap Corruption [V-y6g5jlm8e1] Reviewed-by: prr --- .../share/classes/sun/awt/image/GifImageDecoder.java | 11 +++++++++-- jdk/src/share/native/sun/awt/image/gif/gifdecoder.c | 5 +++++ 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/jdk/src/share/classes/sun/awt/image/GifImageDecoder.java b/jdk/src/share/classes/sun/awt/image/GifImageDecoder.java index aa87fb82ef7..b0679afc437 100644 --- a/jdk/src/share/classes/sun/awt/image/GifImageDecoder.java +++ b/jdk/src/share/classes/sun/awt/image/GifImageDecoder.java @@ -585,9 +585,16 @@ public class GifImageDecoder extends ImageDecoder { System.out.print("Reading a " + width + " by " + height + " " + (interlace ? "" : "non-") + "interlaced image..."); } - + int initCodeSize = ExtractByte(block, 9); + if (initCodeSize >= 12) { + if (verbose) { + System.out.println("Invalid initial code size: " + + initCodeSize); + } + return false; + } boolean ret = parseImage(x, y, width, height, - interlace, ExtractByte(block, 9), + interlace, initCodeSize, block, rasline, model); if (!ret) { diff --git a/jdk/src/share/native/sun/awt/image/gif/gifdecoder.c b/jdk/src/share/native/sun/awt/image/gif/gifdecoder.c index 1429931f8c6..893007f1366 100644 --- a/jdk/src/share/native/sun/awt/image/gif/gifdecoder.c +++ b/jdk/src/share/native/sun/awt/image/gif/gifdecoder.c @@ -191,6 +191,11 @@ Java_sun_awt_image_GifImageDecoder_parseImage(JNIEnv *env, int passht = passinc; int len; + /* We have verified the initial code size on the java layer. + * Here we just check bounds for particular indexes. */ + if (freeCode >= 4096 || maxCode >= 4096) { + return 0; + } if (blockh == 0 || raslineh == 0 || prefixh == 0 || suffixh == 0 || outCodeh == 0)