Skip to content

Commit

Permalink
8319079: Missing range checks in decora
Browse files Browse the repository at this point in the history
Backport-of: 96e5d10
  • Loading branch information
jayathirthrao authored and arapte committed Nov 3, 2023
1 parent 916df93 commit 5f21d46
Show file tree
Hide file tree
Showing 6 changed files with 85 additions and 0 deletions.
21 changes: 21 additions & 0 deletions modules/javafx.graphics/src/main/native-decora/SSEBoxBlurPeer.cc
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,13 @@ Java_com_sun_scenario_effect_impl_sw_sse_SSEBoxBlurPeer_filterHorizontal
jintArray dstPixels_arr, jint dstw, jint dsth, jint dstscan,
jintArray srcPixels_arr, jint srcw, jint srch, jint srcscan)
{
if ((checkRange(env,
dstPixels_arr, dstw, dsth,
srcPixels_arr, srcw, srch)) ||
dsth > srch) { // We should not move out of source vertical bounds
return;
}

jint *srcPixels = (jint *)env->GetPrimitiveArrayCritical(srcPixels_arr, 0);
if (srcPixels == NULL) return;
jint *dstPixels = (jint *)env->GetPrimitiveArrayCritical(dstPixels_arr, 0);
Expand Down Expand Up @@ -89,6 +96,13 @@ Java_com_sun_scenario_effect_impl_sw_sse_SSEBoxBlurPeer_filterVertical
jintArray dstPixels_arr, jint dstw, jint dsth, jint dstscan,
jintArray srcPixels_arr, jint srcw, jint srch, jint srcscan)
{
if ((checkRange(env,
dstPixels_arr, dstw, dsth,
srcPixels_arr, srcw, srch)) ||
dstw > srcw) { // We should not move out of source horizontal bounds
return;
}

jint *srcPixels = (jint *)env->GetPrimitiveArrayCritical(srcPixels_arr, 0);
if (srcPixels == NULL) return;
jint *dstPixels = (jint *)env->GetPrimitiveArrayCritical(dstPixels_arr, 0);
Expand Down Expand Up @@ -149,6 +163,13 @@ Java_com_sun_scenario_effect_impl_sw_sse_SSEBoxBlurPeer_filterTranspose
jintArray srcPixels_arr, jint srcw, jint srch, jint srcscan,
jint ksize)
{
if ((checkRange(env,
dstPixels_arr, dstw, dsth,
srcPixels_arr, srcw, srch)) ||
dstw > srcw) { // We should not move out of source horizontal bounds
return;
}

jint *srcPixels = (jint *)env->GetPrimitiveArrayCritical(srcPixels_arr, 0);
if (srcPixels == NULL) return;
jint *dstPixels = (jint *)env->GetPrimitiveArrayCritical(dstPixels_arr, 0);
Expand Down
21 changes: 21 additions & 0 deletions modules/javafx.graphics/src/main/native-decora/SSEBoxShadowPeer.cc
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,13 @@ Java_com_sun_scenario_effect_impl_sw_sse_SSEBoxShadowPeer_filterHorizontalBlack
jintArray srcPixels_arr, jint srcw, jint srch, jint srcscan,
jfloat spread)
{
if ((checkRange(env,
dstPixels_arr, dstw, dsth,
srcPixels_arr, srcw, srch)) ||
dsth > srch) { // We should not move out of source vertical bounds
return;
}

jint *srcPixels = (jint *)env->GetPrimitiveArrayCritical(srcPixels_arr, 0);
if (srcPixels == NULL) return;
jint *dstPixels = (jint *)env->GetPrimitiveArrayCritical(dstPixels_arr, 0);
Expand Down Expand Up @@ -86,6 +93,13 @@ Java_com_sun_scenario_effect_impl_sw_sse_SSEBoxShadowPeer_filterVerticalBlack
jintArray srcPixels_arr, jint srcw, jint srch, jint srcscan,
jfloat spread)
{
if ((checkRange(env,
dstPixels_arr, dstw, dsth,
srcPixels_arr, srcw, srch)) ||
dstw > srcw) { // We should not move out of source horizontal bounds
return;
}

jint *srcPixels = (jint *)env->GetPrimitiveArrayCritical(srcPixels_arr, 0);
if (srcPixels == NULL) return;
jint *dstPixels = (jint *)env->GetPrimitiveArrayCritical(dstPixels_arr, 0);
Expand Down Expand Up @@ -134,6 +148,13 @@ Java_com_sun_scenario_effect_impl_sw_sse_SSEBoxShadowPeer_filterVertical
jintArray srcPixels_arr, jint srcw, jint srch, jint srcscan,
jfloat spread, jfloatArray shadowColor_arr)
{
if ((checkRange(env,
dstPixels_arr, dstw, dsth,
srcPixels_arr, srcw, srch)) ||
dstw > srcw) { // We should not move out of source horizontal bounds
return;
}

jfloat shadowColor[4];
env->GetFloatArrayRegion(shadowColor_arr, 0, 4, shadowColor);

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,13 @@ Java_com_sun_scenario_effect_impl_sw_sse_SSELinearConvolvePeer_filterHV
jintArray srcPixels_arr, jint srccols, jint srcrows, jint scolinc, jint srowinc,
jfloatArray kvals_arr)
{
if ((checkRange(env,
dstPixels_arr, dstcols, dstrows,
srcPixels_arr, srccols, srcrows)) ||
dstrows > srcrows) { // We should not move out of source vertical bounds
return;
}

jint kernelSize = env->GetArrayLength(kvals_arr) / 2;
if (kernelSize > 128) return;
jfloat kvals[256];
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,13 @@ Java_com_sun_scenario_effect_impl_sw_sse_SSELinearConvolveShadowPeer_filterHV
jintArray srcPixels_arr, jint srccols, jint srcrows, jint scolinc, jint srowinc,
jfloatArray kvals_arr, jfloatArray shadowColor_arr)
{
if ((checkRange(env,
dstPixels_arr, dstcols, dstrows,
srcPixels_arr, srccols, srcrows)) ||
dstrows > srcrows) { // We should not move out of source vertical bounds
return;
}

jint kernelSize = env->GetArrayLength(kvals_arr) / 2;
if (kernelSize > 128) return;
jfloat kvals[256];
Expand Down
21 changes: 21 additions & 0 deletions modules/javafx.graphics/src/main/native-decora/SSEUtils.cc
Original file line number Diff line number Diff line change
Expand Up @@ -183,3 +183,24 @@ void fsample(jfloat *map,
}
}
}

/*
* checkRange function returns true if source or destination
* dimensions are not in the required bounds and returns false
* if dimensions are within required bounds.
*/
bool checkRange(JNIEnv *env,
jintArray dstPixels_arr, jint dstw, jint dsth,
jintArray srcPixels_arr, jint srcw, jint srch)
{
return (srcPixels_arr == NULL ||
dstPixels_arr == NULL ||
srcw <= 0 ||
srch <= 0 ||
srcw > INT_MAX / srch ||
dstw <= 0 ||
dsth <= 0 ||
dstw > INT_MAX / dsth ||
(srcw * srch) > env->GetArrayLength(srcPixels_arr) ||
(dstw * dsth) > env->GetArrayLength(dstPixels_arr));
}
8 changes: 8 additions & 0 deletions modules/javafx.graphics/src/main/native-decora/SSEUtils.h
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,10 @@ extern "C" {
#define FVAL_G 1
#define FVAL_B 2

#ifndef INT_MAX
#define INT_MAX 2147483647
#endif /* INT_MAX */

void lsample(jint *img,
jfloat floc_x, jfloat floc_y,
jint w, jint h, jint scan,
Expand All @@ -53,6 +57,10 @@ void fsample(jfloat *img,
jint w, jint h, jint scan,
jfloat *fvals);

bool checkRange(JNIEnv *env,
jintArray dstPixels_arr, jint dstw, jint dsth,
jintArray srcPixels_arr, jint srcw, jint srch);

#ifdef __cplusplus
};
#endif /* __cplusplus */
Expand Down

1 comment on commit 5f21d46

@openjdk-notifier
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.