RFR: JDK-8347377 : Add validation checks for ICC_Profile header fields [v3]
Harshitha Onkar
honkar at openjdk.org
Mon Jan 13 21:02:40 UTC 2025
On Mon, 13 Jan 2025 19:15:32 GMT, Sergey Bylokhov <serb at openjdk.org> wrote:
>> src/java.desktop/share/classes/java/awt/color/ICC_Profile.java line 795:
>>
>>> 793: }
>>> 794:
>>> 795: if (p != null) {
>>
>> If it possible to get null here we should thrown an exception, but I think we thrown that exception already in the native.
>
> it is probably better to add this validation into ProfileDataVerifier.verify(data), and check it even before .getModule().loadProfile(data)
This requires making the new method `verifyHeader()`public so that it can be used in ProfileDataVerifier.verify(data) as follows.
byte[] theHeader = new byte[HEADER_SIZE];
System.arraycopy(data,0, theHeader, 0, HEADER_SIZE);
ICC_Profile.verifyHeader(theHeader);
or it can be added before .getModule().loadProfile(data) within ICC_Profile.getInstance() and this keeps verifyHeader() private.
public static ICC_Profile getInstance(byte[] data) {
ProfileDataVerifier.verify(data);
Profile p;
try {
byte[] theHeader = new byte[HEADER_SIZE];
System.arraycopy(data, 0, theHeader, 0, HEADER_SIZE);
verifyHeader(theHeader);
p = CMSManager.getModule().loadProfile(data);
} catch (CMMException c) {
throw new IllegalArgumentException("Invalid ICC Profile Data");
}
@prrace Your suggestion on whether to have `verifyHeader()` as private or public method? If we decide to make it public then a CSR is required.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/23044#discussion_r1913795818
More information about the client-libs-dev
mailing list