On Fri, 22 Apr 2022 07:36:43 GMT, Sergey Bylokhov <s...@openjdk.org> wrote:
>> Description of the new version of the fix: >> While I have worked on this change and tried to consider the comments, I >> have found that the usages of the "safeAdd/safeMult" in the LCMSImageLayout >> class are incorrect. Both methods are based on the "Math" versions but throw >> a different exception. The problem is that its implementation may accept the >> negative values during intermediate calculation, see the old implementation >> of >> "[verify](https://github.com/openjdk/jdk/blob/139615b1815d4afd3593536d83fa8b25430f35e7/src/java.desktop/share/classes/sun/java2d/cmm/lcms/LCMSImageLayout.java#L343)" >> method: >> 1. We check the "offset" value: 0 <= offset < dataArrayLength >> 2. We do some intermediate calculations that "accept" negative values >> 3. We check the final "off" value: 0 <= offset < dataArrayLength >> >> I wondered is it possible to provide some data that using wrong/negative >> data at step2 may result in the correct check at step3. I spent some time >> and was able to reproduce the problem with the attached test case. Note that >> the test is a little bit cryptic since it is not possible to reproduce it by >> input image data. >> >> Note: I have removed all cleanup from the fix, to make it simpler. >> >> <======> >> Description of the old version of the fix: >> - The hand-crafted methods for addition and multiplication are replaced by >> the "Math" versions. >> - Cleanup: the usage of do/while(false) is removed > > Sergey Bylokhov has updated the pull request with a new target base due to a > merge or a rebase. The incremental webrev excludes the unrelated changes > brought in by the merge/rebase. The pull request contains six additional > commits since the last revision: > > - Initial version 8264666 > - Merge branch 'master' into LCMSImageLayout > - Revert "safeXX -> xxExact" > > This reverts commit a1876fa596a6831f036c04f45fa89c2caba47087. > - Revert "delete "do{...} while (false);"" > > This reverts commit a9e91601c355f96c82dd8b2b8564a3a3e7b96aef. > - delete "do{...} while (false);" > - safeXX -> xxExact The fix is reworked based on the new facts about that methods. ------------- PR: https://git.openjdk.java.net/jdk/pull/3333
