/hg/release/icedtea6-1.12: 3 new changesets
omajid at icedtea.classpath.org
omajid at icedtea.classpath.org
Mon Mar 4 14:58:49 PST 2013
changeset abc301613e43 in /hg/release/icedtea6-1.12
details: http://icedtea.classpath.org/hg/release/icedtea6-1.12?cmd=changeset;node=abc301613e43
author: Omair Majid <omajid at redhat.com>
date: Mon Mar 04 16:37:59 2013 -0500
Add latest security fixes.
2013-03-04 Omair Majid <omajid at redhat.com>
* NEWS: List new security patches.
* Makefile.am (ICEDTEA_PATCHES): Add new patches.
* patches/security/20130304/8007014.patch,
* patches/security/20130304/8007675.patch:
New patches for the next security update.
changeset 5e17710282dd in /hg/release/icedtea6-1.12
details: http://icedtea.classpath.org/hg/release/icedtea6-1.12?cmd=changeset;node=5e17710282dd
author: Omair Majid <omajid at redhat.com>
date: Mon Mar 04 16:55:23 2013 -0500
Bump to 1.12.4 and set release date
changeset d868cd71c566 in /hg/release/icedtea6-1.12
details: http://icedtea.classpath.org/hg/release/icedtea6-1.12?cmd=changeset;node=d868cd71c566
author: Omair Majid <omajid at redhat.com>
date: Mon Mar 04 17:58:21 2013 -0500
Added tag icedtea6-1.12.4 for changeset 5e17710282dd
diffstat:
.hgtags | 1 +
ChangeLog | 13 +
Makefile.am | 4 +-
NEWS | 6 +-
configure.ac | 2 +-
patches/security/20130304/8007014.patch | 463 +++++++++++++++++++++++++++++
patches/security/20130304/8007675.patch | 509 ++++++++++++++++++++++++++++++++
7 files changed, 995 insertions(+), 3 deletions(-)
diffs (truncated from 1047 to 500 lines):
diff -r 948267a76960 -r d868cd71c566 .hgtags
--- a/.hgtags Wed Feb 20 13:02:43 2013 +1100
+++ b/.hgtags Mon Mar 04 17:58:21 2013 -0500
@@ -26,3 +26,4 @@
63fea6a4bee0e2e8ecb9f2061dba92be4924ddb4 icedtea6-1.12.1
ba91bee6c0d6d4634a4d6de69095af01689f7419 icedtea6-1.12.2
37209dd4b07599b5f83b33c63daae8d37c708e39 icedtea6-1.12.3
+5e17710282ddf2938993ae2077028cff3786c048 icedtea6-1.12.4
diff -r 948267a76960 -r d868cd71c566 ChangeLog
--- a/ChangeLog Wed Feb 20 13:02:43 2013 +1100
+++ b/ChangeLog Mon Mar 04 17:58:21 2013 -0500
@@ -1,3 +1,16 @@
+2013-03-04 Omair Majid <omajid at redhat.com>
+
+ * confiugre.ac: Prepare for 1.12.4.
+ * NEWS: Add release date fo 1.12.4.
+
+2013-03-04 Omair Majid <omajid at redhat.com>
+
+ * NEWS: List new security patches.
+ * Makefile.am (ICEDTEA_PATCHES): Add new patches.
+ * patches/security/20130304/8007014.patch,
+ * patches/security/20130304/8007675.patch:
+ New patches for the next security update.
+
2013-02-20 Andrew John Hughes <gnu.andrew at member.fsf.org>
* configure.ac: Bump to 1.12.4pre.
diff -r 948267a76960 -r d868cd71c566 Makefile.am
--- a/Makefile.am Wed Feb 20 13:02:43 2013 +1100
+++ b/Makefile.am Mon Mar 04 17:58:21 2013 -0500
@@ -277,7 +277,9 @@
patches/security/20130201/8001235.patch \
patches/security/20130219/8006446.patch \
patches/security/20130219/8006777.patch \
- patches/security/20130219/8007688.patch
+ patches/security/20130219/8007688.patch \
+ patches/security/20130304/8007014.patch \
+ patches/security/20130304/8007675.patch
SPECIAL_SECURITY_PATCH = patches/security/20120214/7112642.patch
diff -r 948267a76960 -r d868cd71c566 NEWS
--- a/NEWS Wed Feb 20 13:02:43 2013 +1100
+++ b/NEWS Mon Mar 04 17:58:21 2013 -0500
@@ -10,7 +10,11 @@
CVE-XXXX-YYYY: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
-New in release 1.12.4 (2013-XX-XX):
+New in release 1.12.4 (2013-03-04):
+
+* Security fixes
+ - S8007014, CVE-2013-0809: Improve image handling
+ - S8007675, CVE-2013-1493: Improve color conversion
New in release 1.12.3 (2013-02-19):
diff -r 948267a76960 -r d868cd71c566 configure.ac
--- a/configure.ac Wed Feb 20 13:02:43 2013 +1100
+++ b/configure.ac Mon Mar 04 17:58:21 2013 -0500
@@ -1,4 +1,4 @@
-AC_INIT([icedtea6],[1.12.4pre],[distro-pkg-dev at openjdk.java.net])
+AC_INIT([icedtea6],[1.12.4],[distro-pkg-dev at openjdk.java.net])
AM_INIT_AUTOMAKE([1.9 tar-pax foreign])
AC_CONFIG_FILES([Makefile])
diff -r 948267a76960 -r d868cd71c566 patches/security/20130304/8007014.patch
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/security/20130304/8007014.patch Mon Mar 04 17:58:21 2013 -0500
@@ -0,0 +1,463 @@
+# HG changeset patch
+# User bae
+# Date 1360857111 -14400
+# Node ID 0dcf8ad3e63dfa4bb929bf2de99b95f18f5ea1c8
+# Parent 8a980f97e66a6433a1cdc946c90aff4433ea505c
+8007014: Improve image handling
+Reviewed-by: prr, mschoene, jgodinez
+
+--- openjdk/jdk/src/share/classes/sun/awt/image/ByteComponentRaster.java Tue Feb 26 12:42:17 2013 -0800
++++ openjdk/jdk/src/share/classes/sun/awt/image/ByteComponentRaster.java Thu Feb 14 19:51:51 2013 +0400
+@@ -868,6 +868,15 @@ public class ByteComponentRaster extends
+ * or if data buffer has not enough capacity.
+ */
+ protected final void verify() {
++ /* Need to re-verify the dimensions since a sample model may be
++ * specified to the constructor
++ */
++ if (width <= 0 || height <= 0 ||
++ height > (Integer.MAX_VALUE / width))
++ {
++ throw new RasterFormatException("Invalid raster dimension");
++ }
++
+ for (int i = 0; i < dataOffsets.length; i++) {
+ if (dataOffsets[i] < 0) {
+ throw new RasterFormatException("Data offsets for band " + i
+@@ -905,12 +914,13 @@ public class ByteComponentRaster extends
+ lastPixelOffset += lastScanOffset;
+
+ for (int i = 0; i < numDataElements; i++) {
+- size = lastPixelOffset + dataOffsets[i];
+ if (dataOffsets[i] > (Integer.MAX_VALUE - lastPixelOffset)) {
+ throw new RasterFormatException("Incorrect band offset: "
+ + dataOffsets[i]);
+
+ }
++
++ size = lastPixelOffset + dataOffsets[i];
+
+ if (size > maxSize) {
+ maxSize = size;
+--- openjdk/jdk/src/share/classes/sun/awt/image/BytePackedRaster.java Tue Feb 26 12:42:17 2013 -0800
++++ openjdk/jdk/src/share/classes/sun/awt/image/BytePackedRaster.java Thu Feb 14 19:51:51 2013 +0400
+@@ -1368,11 +1368,35 @@ public class BytePackedRaster extends Su
+ throw new RasterFormatException("Data offsets must be >= 0");
+ }
+
++ /* Need to re-verify the dimensions since a sample model may be
++ * specified to the constructor
++ */
++ if (width <= 0 || height <= 0 ||
++ height > (Integer.MAX_VALUE / width))
++ {
++ throw new RasterFormatException("Invalid raster dimension");
++ }
++
++
++ /*
++ * pixelBitstride was verified in constructor, so just make
++ * sure that it is safe to multiply it by width.
++ */
++ if ((width - 1) > Integer.MAX_VALUE / pixelBitStride) {
++ throw new RasterFormatException("Invalid raster dimension");
++ }
++
++ if (scanlineStride < 0 ||
++ scanlineStride > (Integer.MAX_VALUE / height))
++ {
++ throw new RasterFormatException("Invalid scanline stride");
++ }
++
+ int lastbit = (dataBitOffset
+ + (height-1) * scanlineStride * 8
+ + (width-1) * pixelBitStride
+ + pixelBitStride - 1);
+- if (lastbit / 8 >= data.length) {
++ if (lastbit < 0 || lastbit / 8 >= data.length) {
+ throw new RasterFormatException("raster dimensions overflow " +
+ "array bounds");
+ }
+--- openjdk/jdk/src/share/classes/sun/awt/image/IntegerComponentRaster.java Tue Feb 26 12:42:17 2013 -0800
++++ openjdk/jdk/src/share/classes/sun/awt/image/IntegerComponentRaster.java Thu Feb 14 19:51:51 2013 +0400
+@@ -208,7 +208,7 @@ public class IntegerComponentRaster exte
+ " SinglePixelPackedSampleModel");
+ }
+
+- verify(false);
++ verify();
+ }
+
+
+@@ -629,16 +629,26 @@ public class IntegerComponentRaster exte
+ }
+
+ /**
+- * Verify that the layout parameters are consistent with
+- * the data. If strictCheck
+- * is false, this method will check for ArrayIndexOutOfBounds conditions. If
+- * strictCheck is true, this method will check for additional error
+- * conditions such as line wraparound (width of a line greater than
+- * the scanline stride).
+- * @return String Error string, if the layout is incompatible with
+- * the data. Otherwise returns null.
+- */
+- private void verify (boolean strictCheck) {
++ * Verify that the layout parameters are consistent with the data.
++ *
++ * The method verifies whether scanline stride and pixel stride do not
++ * cause an integer overflow during calculation of a position of the pixel
++ * in data buffer. It also verifies whether the data buffer has enough data
++ * to correspond the raster layout attributes.
++ *
++ * @throws RasterFormatException if an integer overflow is detected,
++ * or if data buffer has not enough capacity.
++ */
++ protected final void verify() {
++ /* Need to re-verify the dimensions since a sample model may be
++ * specified to the constructor
++ */
++ if (width <= 0 || height <= 0 ||
++ height > (Integer.MAX_VALUE / width))
++ {
++ throw new RasterFormatException("Invalid raster dimension");
++ }
++
+ if (dataOffsets[0] < 0) {
+ throw new RasterFormatException("Data offset ("+dataOffsets[0]+
+ ") must be >= 0");
+@@ -647,17 +657,46 @@ public class IntegerComponentRaster exte
+ int maxSize = 0;
+ int size;
+
+- for (int i=0; i < numDataElements; i++) {
+- size = (height-1)*scanlineStride + (width-1)*pixelStride +
+- dataOffsets[i];
++ // we can be sure that width and height are greater than 0
++ if (scanlineStride < 0 ||
++ scanlineStride > (Integer.MAX_VALUE / height))
++ {
++ // integer overflow
++ throw new RasterFormatException("Incorrect scanline stride: "
++ + scanlineStride);
++ }
++ int lastScanOffset = (height - 1) * scanlineStride;
++
++ if (pixelStride < 0 ||
++ pixelStride > (Integer.MAX_VALUE / width))
++ {
++ // integer overflow
++ throw new RasterFormatException("Incorrect pixel stride: "
++ + pixelStride);
++ }
++ int lastPixelOffset = (width - 1) * pixelStride;
++
++ if (lastPixelOffset > (Integer.MAX_VALUE - lastScanOffset)) {
++ // integer overflow
++ throw new RasterFormatException("Incorrect raster attributes");
++ }
++ lastPixelOffset += lastScanOffset;
++
++ for (int i = 0; i < numDataElements; i++) {
++ if (dataOffsets[i] > (Integer.MAX_VALUE - lastPixelOffset)) {
++ throw new RasterFormatException("Incorrect band offset: "
++ + dataOffsets[i]);
++ }
++
++ size = lastPixelOffset + dataOffsets[i];
++
+ if (size > maxSize) {
+ maxSize = size;
+ }
+ }
+ if (data.length < maxSize) {
+- throw new RasterFormatException("Data array too small (should be "+
+- maxSize
+- +" but is "+data.length+" )");
++ throw new RasterFormatException("Data array too small (should be "
++ + maxSize + " )");
+ }
+ }
+
+--- openjdk/jdk/src/share/classes/sun/awt/image/IntegerInterleavedRaster.java Tue Feb 26 12:42:17 2013 -0800
++++ openjdk/jdk/src/share/classes/sun/awt/image/IntegerInterleavedRaster.java Thu Feb 14 19:51:51 2013 +0400
+@@ -151,7 +151,7 @@ public class IntegerInterleavedRaster ex
+ throw new RasterFormatException("IntegerInterleavedRasters must have"+
+ " SinglePixelPackedSampleModel");
+ }
+- verify(false);
++ verify();
+ }
+
+
+@@ -540,31 +540,6 @@ public class IntegerInterleavedRaster ex
+ return createCompatibleWritableRaster(width,height);
+ }
+
+- /**
+- * Verify that the layout parameters are consistent with
+- * the data. If strictCheck
+- * is false, this method will check for ArrayIndexOutOfBounds conditions. If
+- * strictCheck is true, this method will check for additional error
+- * conditions such as line wraparound (width of a line greater than
+- * the scanline stride).
+- * @return String Error string, if the layout is incompatible with
+- * the data. Otherwise returns null.
+- */
+- private void verify (boolean strictCheck) {
+- int maxSize = 0;
+- int size;
+-
+- size = (height-1)*scanlineStride + (width-1) + dataOffsets[0];
+- if (size > maxSize) {
+- maxSize = size;
+- }
+- if (data.length < maxSize) {
+- throw new RasterFormatException("Data array too small (should be "+
+- maxSize
+- +" but is "+data.length+" )");
+- }
+- }
+-
+ public String toString() {
+ return new String ("IntegerInterleavedRaster: width = "+width
+ +" height = " + height
+--- openjdk/jdk/src/share/classes/sun/awt/image/ShortComponentRaster.java Tue Feb 26 12:42:17 2013 -0800
++++ openjdk/jdk/src/share/classes/sun/awt/image/ShortComponentRaster.java Thu Feb 14 19:51:51 2013 +0400
+@@ -802,6 +802,15 @@ public class ShortComponentRaster extend
+ * or if data buffer has not enough capacity.
+ */
+ protected final void verify() {
++ /* Need to re-verify the dimensions since a sample model may be
++ * specified to the constructor
++ */
++ if (width <= 0 || height <= 0 ||
++ height > (Integer.MAX_VALUE / width))
++ {
++ throw new RasterFormatException("Invalid raster dimension");
++ }
++
+ for (int i = 0; i < dataOffsets.length; i++) {
+ if (dataOffsets[i] < 0) {
+ throw new RasterFormatException("Data offsets for band " + i
+@@ -839,11 +848,12 @@ public class ShortComponentRaster extend
+ lastPixelOffset += lastScanOffset;
+
+ for (int i = 0; i < numDataElements; i++) {
+- size = lastPixelOffset + dataOffsets[i];
+ if (dataOffsets[i] > (Integer.MAX_VALUE - lastPixelOffset)) {
+ throw new RasterFormatException("Incorrect band offset: "
+ + dataOffsets[i]);
+ }
++
++ size = lastPixelOffset + dataOffsets[i];
+
+ if (size > maxSize) {
+ maxSize = size;
+--- openjdk/jdk/src/share/native/sun/awt/image/awt_parseImage.c Tue Feb 26 12:42:17 2013 -0800
++++ openjdk/jdk/src/share/native/sun/awt/image/awt_parseImage.c Thu Feb 14 19:51:51 2013 +0400
+@@ -34,6 +34,7 @@
+ #include "java_awt_color_ColorSpace.h"
+ #include "awt_Mlib.h"
+ #include "safe_alloc.h"
++#include "safe_math.h"
+
+ static int setHints(JNIEnv *env, BufImageS_t *imageP);
+
+--- openjdk/jdk/src/share/native/sun/awt/medialib/awt_ImagingLib.c Tue Feb 26 12:42:17 2013 -0800
++++ openjdk/jdk/src/share/native/sun/awt/medialib/awt_ImagingLib.c Thu Feb 14 19:51:51 2013 +0400
+@@ -42,6 +42,7 @@
+ #include "awt_Mlib.h"
+ #include "gdefs.h"
+ #include "safe_alloc.h"
++#include "safe_math.h"
+
+ /***************************************************************************
+ * Definitions *
+@@ -1993,13 +1994,23 @@ cvtCustomToDefault(JNIEnv *env, BufImage
+ unsigned char *dP = dataP;
+ #define NUM_LINES 10
+ int numLines = NUM_LINES;
+- int nbytes = rasterP->width*4*NUM_LINES;
++ /* it is safe to calculate the scan length, because width has been verified
++ * on creation of the mlib image
++ */
++ int scanLength = rasterP->width * 4;
++
++ int nbytes = 0;
++ if (!SAFE_TO_MULT(numLines, scanLength)) {
++ return -1;
++ }
++
++ nbytes = numLines * scanLength;
+
+ for (y=0; y < rasterP->height; y+=numLines) {
+ /* getData, one scanline at a time */
+ if (y+numLines > rasterP->height) {
+ numLines = rasterP->height - y;
+- nbytes = rasterP->width*4*numLines;
++ nbytes = numLines * scanLength;
+ }
+ jpixels = (*env)->CallObjectMethod(env, imageP->jimage,
+ g_BImgGetRGBMID, 0, y,
+@@ -2129,8 +2140,14 @@ allocateArray(JNIEnv *env, BufImageS_t *
+ if (cvtToDefault) {
+ int status = 0;
+ *mlibImagePP = (*sMlibSysFns.createFP)(MLIB_BYTE, 4, width, height);
++ if (*mlibImagePP == NULL) {
++ return -1;
++ }
+ cDataP = (unsigned char *) mlib_ImageGetData(*mlibImagePP);
+- /* Make sure the image is cleared */
++ /* Make sure the image is cleared.
++ * NB: the image dimension is already verified, so we can
++ * safely calculate the length of the buffer.
++ */
+ memset(cDataP, 0, width*height*4);
+
+ if (!isSrc) {
+@@ -2380,6 +2397,9 @@ allocateRasterArray(JNIEnv *env, RasterS
+ case sun_awt_image_IntegerComponentRaster_TYPE_BYTE_PACKED_SAMPLES:
+ *mlibImagePP = (*sMlibSysFns.createFP)(MLIB_BYTE, rasterP->numBands,
+ width, height);
++ if (*mlibImagePP == NULL) {
++ return -1;
++ }
+ if (!isSrc) return 0;
+ cDataP = (unsigned char *) mlib_ImageGetData(*mlibImagePP);
+ return expandPackedBCR(env, rasterP, -1, cDataP);
+@@ -2388,6 +2408,9 @@ allocateRasterArray(JNIEnv *env, RasterS
+ if (rasterP->sppsm.maxBitSize <= 8) {
+ *mlibImagePP = (*sMlibSysFns.createFP)(MLIB_BYTE, rasterP->numBands,
+ width, height);
++ if (*mlibImagePP == NULL) {
++ return -1;
++ }
+ if (!isSrc) return 0;
+ cDataP = (unsigned char *) mlib_ImageGetData(*mlibImagePP);
+ return expandPackedSCR(env, rasterP, -1, cDataP);
+@@ -2397,6 +2420,9 @@ allocateRasterArray(JNIEnv *env, RasterS
+ if (rasterP->sppsm.maxBitSize <= 8) {
+ *mlibImagePP = (*sMlibSysFns.createFP)(MLIB_BYTE, rasterP->numBands,
+ width, height);
++ if (*mlibImagePP == NULL) {
++ return -1;
++ }
+ if (!isSrc) return 0;
+ cDataP = (unsigned char *) mlib_ImageGetData(*mlibImagePP);
+ return expandPackedICR(env, rasterP, -1, cDataP);
+--- openjdk/jdk/src/share/native/sun/awt/medialib/mlib_ImageCreate.c Tue Feb 26 12:42:17 2013 -0800
++++ openjdk/jdk/src/share/native/sun/awt/medialib/mlib_ImageCreate.c Thu Feb 14 19:51:51 2013 +0400
+@@ -120,6 +120,7 @@
+ #include "mlib_image.h"
+ #include "mlib_ImageRowTable.h"
+ #include "mlib_ImageCreate.h"
++#include "safe_math.h"
+
+ /***************************************************************/
+ mlib_image* mlib_ImageSet(mlib_image *image,
+@@ -247,25 +248,47 @@ mlib_image *mlib_ImageCreate(mlib_type t
+ return NULL;
+ };
+
++ if (!SAFE_TO_MULT(width, channels)) {
++ return NULL;
++ }
++
++ wb = width * channels;
++
+ switch (type) {
+ case MLIB_DOUBLE:
+- wb = width * channels * 8;
++ if (!SAFE_TO_MULT(wb, 8)) {
++ return NULL;
++ }
++ wb *= 8;
+ break;
+ case MLIB_FLOAT:
+ case MLIB_INT:
+- wb = width * channels * 4;
++ if (!SAFE_TO_MULT(wb, 4)) {
++ return NULL;
++ }
++ wb *= 4;
+ break;
+ case MLIB_USHORT:
+ case MLIB_SHORT:
+- wb = width * channels * 2;
++ if (!SAFE_TO_MULT(wb, 4)) {
++ return NULL;
++ }
++ wb *= 2;
+ break;
+ case MLIB_BYTE:
+- wb = width * channels;
++ // wb is ready
+ break;
+ case MLIB_BIT:
+- wb = (width * channels + 7) / 8;
++ if (!SAFE_TO_ADD(7, wb)) {
++ return NULL;
++ }
++ wb = (wb + 7) / 8;
+ break;
+ default:
++ return NULL;
++ }
++
++ if (!SAFE_TO_MULT(wb, height)) {
+ return NULL;
+ }
+
+--- openjdk/jdk/src/share/native/sun/awt/medialib/safe_alloc.h Tue Feb 26 12:42:17 2013 -0800
++++ openjdk/jdk/src/share/native/sun/awt/medialib/safe_alloc.h Thu Feb 14 19:51:51 2013 +0400
+@@ -41,10 +41,4 @@
+ (((w) > 0) && ((h) > 0) && ((sz) > 0) && \
+ (((0xffffffffu / ((juint)(w))) / ((juint)(h))) > ((juint)(sz))))
+
+-#define SAFE_TO_MULT(a, b) \
+- (((a) > 0) && ((b) >= 0) && ((0x7fffffff / (a)) > (b)))
+-
+-#define SAFE_TO_ADD(a, b) \
+- (((a) >= 0) && ((b) >= 0) && ((0x7fffffff - (a)) > (b)))
+-
+ #endif // __SAFE_ALLOC_H__
+--- /dev/null Thu Jan 01 00:00:00 1970 +0000
++++ openjdk/jdk/src/share/native/sun/awt/medialib/safe_math.h Thu Feb 14 19:51:51 2013 +0400
+@@ -0,0 +1,35 @@
++/*
++ * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
More information about the distro-pkg-dev
mailing list