Skip to content

Commit

Permalink
8319079: Missing range checks in decora
Browse files Browse the repository at this point in the history 
Reviewed-by: kcr, arapte
  • Loading branch information
@jayathirthrao @nlisker
jayathirthrao authored and nlisker committed Nov 2, 2023
1 parent ead1953 commit 96e5d10
Show file tree
Hide file tree
Showing 6 changed files with 85 additions and 0 deletions.
21 changes: 21 additions & 0 deletions modules/javafx.graphics/src/main/native-decora/SSEBoxBlurPeer.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,13 @@ Java_com_sun_scenario_effect_impl_sw_sse_SSEBoxBlurPeer_filterHorizontal
jintArray dstPixels_arr, jint dstw, jint dsth, jint dstscan,
jintArray srcPixels_arr, jint srcw, jint srch, jint srcscan)
{
if ((checkRange(env,
dstPixels_arr, dstw, dsth,
srcPixels_arr, srcw, srch)) ||
dsth > srch) { // We should not move out of source vertical bounds
return;
}

jint *srcPixels = (jint *)env->GetPrimitiveArrayCritical(srcPixels_arr, 0);
if (srcPixels == NULL) return;
jint *dstPixels = (jint *)env->GetPrimitiveArrayCritical(dstPixels_arr, 0);
Expand Down Expand Up @@ -89,6 +96,13 @@ Java_com_sun_scenario_effect_impl_sw_sse_SSEBoxBlurPeer_filterVertical
jintArray dstPixels_arr, jint dstw, jint dsth, jint dstscan,
jintArray srcPixels_arr, jint srcw, jint srch, jint srcscan)
{
if ((checkRange(env,
dstPixels_arr, dstw, dsth,
srcPixels_arr, srcw, srch)) ||
dstw > srcw) { // We should not move out of source horizontal bounds
return;
}

jint *srcPixels = (jint *)env->GetPrimitiveArrayCritical(srcPixels_arr, 0);
if (srcPixels == NULL) return;
jint *dstPixels = (jint *)env->GetPrimitiveArrayCritical(dstPixels_arr, 0);
Expand Down Expand Up @@ -149,6 +163,13 @@ Java_com_sun_scenario_effect_impl_sw_sse_SSEBoxBlurPeer_filterTranspose
jintArray srcPixels_arr, jint srcw, jint srch, jint srcscan,
jint ksize)
{
if ((checkRange(env,
dstPixels_arr, dstw, dsth,
srcPixels_arr, srcw, srch)) ||
dstw > srcw) { // We should not move out of source horizontal bounds
return;
}

jint *srcPixels = (jint *)env->GetPrimitiveArrayCritical(srcPixels_arr, 0);
if (srcPixels == NULL) return;
jint *dstPixels = (jint *)env->GetPrimitiveArrayCritical(dstPixels_arr, 0);
Expand Down
21 changes: 21 additions & 0 deletions modules/javafx.graphics/src/main/native-decora/SSEBoxShadowPeer.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,13 @@ Java_com_sun_scenario_effect_impl_sw_sse_SSEBoxShadowPeer_filterHorizontalBlack
jintArray srcPixels_arr, jint srcw, jint srch, jint srcscan,
jfloat spread)
{
if ((checkRange(env,
dstPixels_arr, dstw, dsth,
srcPixels_arr, srcw, srch)) ||
dsth > srch) { // We should not move out of source vertical bounds
return;
}

jint *srcPixels = (jint *)env->GetPrimitiveArrayCritical(srcPixels_arr, 0);
if (srcPixels == NULL) return;
jint *dstPixels = (jint *)env->GetPrimitiveArrayCritical(dstPixels_arr, 0);
Expand Down Expand Up @@ -86,6 +93,13 @@ Java_com_sun_scenario_effect_impl_sw_sse_SSEBoxShadowPeer_filterVerticalBlack
jintArray srcPixels_arr, jint srcw, jint srch, jint srcscan,
jfloat spread)
{
if ((checkRange(env,
dstPixels_arr, dstw, dsth,
srcPixels_arr, srcw, srch)) ||
dstw > srcw) { // We should not move out of source horizontal bounds
return;
}

jint *srcPixels = (jint *)env->GetPrimitiveArrayCritical(srcPixels_arr, 0);
if (srcPixels == NULL) return;
jint *dstPixels = (jint *)env->GetPrimitiveArrayCritical(dstPixels_arr, 0);
Expand Down Expand Up @@ -134,6 +148,13 @@ Java_com_sun_scenario_effect_impl_sw_sse_SSEBoxShadowPeer_filterVertical
jintArray srcPixels_arr, jint srcw, jint srch, jint srcscan,
jfloat spread, jfloatArray shadowColor_arr)
{
if ((checkRange(env,
dstPixels_arr, dstw, dsth,
srcPixels_arr, srcw, srch)) ||
dstw > srcw) { // We should not move out of source horizontal bounds
return;
}

jfloat shadowColor[4];
env->GetFloatArrayRegion(shadowColor_arr, 0, 4, shadowColor);

Expand Down
7 changes: 7 additions & 0 deletions modules/javafx.graphics/src/main/native-decora/SSELinearConvolvePeer.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,13 @@ Java_com_sun_scenario_effect_impl_sw_sse_SSELinearConvolvePeer_filterHV
jintArray srcPixels_arr, jint srccols, jint srcrows, jint scolinc, jint srowinc,
jfloatArray kvals_arr)
{
if ((checkRange(env,
dstPixels_arr, dstcols, dstrows,
srcPixels_arr, srccols, srcrows)) ||
dstrows > srcrows) { // We should not move out of source vertical bounds
return;
}

jint kernelSize = env->GetArrayLength(kvals_arr) / 2;
if (kernelSize > 128) return;
jfloat kvals[256];
Expand Down
7 changes: 7 additions & 0 deletions modules/javafx.graphics/src/main/native-decora/SSELinearConvolveShadowPeer.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,13 @@ Java_com_sun_scenario_effect_impl_sw_sse_SSELinearConvolveShadowPeer_filterHV
jintArray srcPixels_arr, jint srccols, jint srcrows, jint scolinc, jint srowinc,
jfloatArray kvals_arr, jfloatArray shadowColor_arr)
{
if ((checkRange(env,
dstPixels_arr, dstcols, dstrows,
srcPixels_arr, srccols, srcrows)) ||
dstrows > srcrows) { // We should not move out of source vertical bounds
return;
}

jint kernelSize = env->GetArrayLength(kvals_arr) / 2;
if (kernelSize > 128) return;
jfloat kvals[256];
Expand Down
21 changes: 21 additions & 0 deletions modules/javafx.graphics/src/main/native-decora/SSEUtils.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -183,3 +183,24 @@ void fsample(jfloat *map,
}
}
}

/*
* checkRange function returns true if source or destination
* dimensions are not in the required bounds and returns false
* if dimensions are within required bounds.
*/
bool checkRange(JNIEnv *env,
jintArray dstPixels_arr, jint dstw, jint dsth,
jintArray srcPixels_arr, jint srcw, jint srch)
{
return (srcPixels_arr == NULL ||
dstPixels_arr == NULL ||
srcw <= 0 ||
srch <= 0 ||
srcw > INT_MAX / srch ||
dstw <= 0 ||
dsth <= 0 ||
dstw > INT_MAX / dsth ||
(srcw * srch) > env->GetArrayLength(srcPixels_arr) ||
(dstw * dsth) > env->GetArrayLength(dstPixels_arr));
}
8 changes: 8 additions & 0 deletions modules/javafx.graphics/src/main/native-decora/SSEUtils.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,10 @@ extern "C" {
#define FVAL_G 1
#define FVAL_B 2

#ifndef INT_MAX
#define INT_MAX 2147483647
#endif /* INT_MAX */

void lsample(jint *img,
jfloat floc_x, jfloat floc_y,
jint w, jint h, jint scan,
Expand All @@ -53,6 +57,10 @@ void fsample(jfloat *img,
jint w, jint h, jint scan,
jfloat *fvals);

bool checkRange(JNIEnv *env,
jintArray dstPixels_arr, jint dstw, jint dsth,
jintArray srcPixels_arr, jint srcw, jint srch);

#ifdef __cplusplus
};
#endif /* __cplusplus */
Expand Down

5 comments on commit 96e5d10

@openjdk-notifier
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review

Issues

@jayathirthrao
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/backport jfx21u

@openjdk
Copy link

@openjdk openjdk bot commented on 96e5d10 Nov 2, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jayathirthrao the backport was successfully created on the branch jayathirthrao-backport-96e5d10a in my personal fork of openjdk/jfx21u. To create a pull request with this backport targeting openjdk/jfx21u:master, just click the following link:

➡️ Create pull request

The title of the pull request is automatically filled in correctly and below you find a suggestion for the pull request body:

Hi all,

This pull request contains a backport of commit 96e5d10a from the openjdk/jfx repository.

The commit being backported was authored by Jayathirth D V on 2 Nov 2023 and was reviewed by Kevin Rushforth and Ambarish Rapte.

Thanks!

If you need to update the source branch of the pull then run the following commands in a local clone of your personal fork of openjdk/jfx21u:

$ git fetch https://github.com/openjdk-bots/jfx21u.git jayathirthrao-backport-96e5d10a:jayathirthrao-backport-96e5d10a
$ git checkout jayathirthrao-backport-96e5d10a
# make changes
$ git add paths/to/changed/files
$ git commit --message 'Describe additional changes made'
$ git push https://github.com/openjdk-bots/jfx21u.git jayathirthrao-backport-96e5d10a

@kevinrushforth
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/tag 22+16

@openjdk
Copy link

@openjdk openjdk bot commented on 96e5d10 Nov 2, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kevinrushforth The tag 22+16 was successfully created.

Please sign in to comment.