On Fri, 2 Apr 2021 23:02:50 GMT, Sergey Bylokhov <s...@openjdk.org> wrote:
> Description of the new version of the fix: > While I have worked on this change and tried to consider the comments, I have > found that the usages of the "safeAdd/safeMult" in the LCMSImageLayout class > are incorrect. Both methods are based on the "Math" versions but throw a > different exception. The problem is that its implementation may accept the > negative values during intermediate calculation, see the old implementation > of > "[verify](https://github.com/openjdk/jdk/blob/139615b1815d4afd3593536d83fa8b25430f35e7/src/java.desktop/share/classes/sun/java2d/cmm/lcms/LCMSImageLayout.java#L343)" > method: > 1. We check the "offset" value: 0 <= offset < dataArrayLength > 2. We do some intermediate calculations that "accept" negative values > 3. We check the final "off" value: 0 <= offset < dataArrayLength > > I wondered is it possible to provide some data that using wrong/negative data > at step2 may result in the correct check at step3. I spent some time and was > able to reproduce the problem with the attached test case. Note that the test > is a little bit cryptic since it is not possible to reproduce it by input > image data. > > Note: I have removed all cleanup from the fix, to make it simpler. > > <======> > Description of the old version of the fix: > - The hand-crafted methods for addition and multiplication are replaced by > the "Math" versions. > - Cleanup: the usage of do/while(false) is removed This pull request has now been integrated. Changeset: 40f19c01 Author: Sergey Bylokhov <s...@openjdk.org> URL: https://git.openjdk.java.net/jdk/commit/40f19c014fed37b09db409cb9507f68f5011f139 Stats: 195 lines in 2 files changed: 169 ins; 15 del; 11 mod 8264666: Change implementation of safeAdd/safeMult in the LCMSImageLayout class Reviewed-by: prr ------------- PR: https://git.openjdk.java.net/jdk/pull/3333
