[oe] [meta-java][PATCH 2/2] icedtea: CVE-2013-4160: integrate Non happy path fixes

Zibo Zhao zibo.zhao at windriver.com
Tue Sep 23 23:37:47 UTC 2014 

From: Michel Thebeau <michel.thebeau at windriver.com>

Little CMS (lcms2) before 2.5, as used in OpenJDK 7 and possibly
other products, allows remote attackers to cause a denial of
service(NULL ptr deref).

Adding NULL pointer checks fix the issue.

Signed-off-by: Michel Thebeau <michel.thebeau at windriver.com>
Signed-off-by: Zibo Zhao <zibo.zhao at windriver.com>
---
 ...cedtea-CVE-2013-4160-Non-happy-path-fixes.patch | 74 ++++++++++++++++++++++
 recipes-core/openjdk/openjdk-7-release-03b21.inc   |  2 +
 2 files changed, 76 insertions(+)
 create mode 100644 recipes-core/openjdk/openjdk-7-03b21/icedtea-CVE-2013-4160-Non-happy-path-fixes.patch

diff --git a/recipes-core/openjdk/openjdk-7-03b21/icedtea-CVE-2013-4160-Non-happy-path-fixes.patch b/recipes-core/openjdk/openjdk-7-03b21/icedtea-CVE-2013-4160-Non-happy-path-fixes.patch
new file mode 100644
index 0000000..75e11c4
--- /dev/null
+++ b/recipes-core/openjdk/openjdk-7-03b21/icedtea-CVE-2013-4160-Non-happy-path-fixes.patch
@@ -0,0 +1,74 @@
+From 91c2db7f2559be504211b283bc3a2c631d6f06d9 Mon Sep 17 00:00:00 2001
+From: Marti Maria <info at littlecms.com>
+Date: Tue, 25 Jun 2013 16:09:16 +0200
+Subject: [PATCH] Non happy-path fixes
+
+commit 91c2db7f2559be504211b283bc3a2c631d6f06d9 from
+https://github.com/mm2/Little-CMS
+[modified for Little-CMS 2.0]
+
+Signed-off-by: Michel Thebeau <michel.thebeau at windriver.com>
+Signed-off-by: Zibo Zhao <Zibo.Zhao at windriver.com>
+---
+ src/cmsnamed.c | 12 +++++++----
+ src/cmsopt.c   | 10 ++++++++++
+ 2 files changed, 18 insertions(+), 4 deletions(-)
+
+diff --git openjdk/jdk/src/share/native/sun/java2d/cmm/lcms/cmsnamed.c openjdk/jdk/src/share/native/sun/java2d/cmm/lcms/cmsnamed.c
+index a916e17..acfd1c8 100644
+--- openjdk/jdk/src/share/native/sun/java2d/cmm/lcms/cmsnamed.c
++++ openjdk/jdk/src/share/native/sun/java2d/cmm/lcms/cmsnamed.c
+@@ -514,8 +514,8 @@ cmsNAMEDCOLORLIST* CMSEXPORT cmsAllocNamedColorList(cmsContext ContextID, cmsUIn
+     while (v -> Allocated < n)
+         GrowNamedColorList(v);
+ 
+-    strncpy(v ->Prefix, Prefix, sizeof(v ->Prefix));
+-    strncpy(v ->Suffix, Suffix, sizeof(v ->Suffix));
++    strncpy(v ->Prefix, Prefix, sizeof(v ->Prefix)-1);
++    strncpy(v ->Suffix, Suffix, sizeof(v ->Suffix)-1);
+     v -> ColorantCount = ColorantCount;
+ 
+     return v;
+@@ -571,6 +571,5 @@ cmsBool  CMSEXPORT cmsAppendNamedColor(cmsNAMEDCOLORLIST* NamedColorList,
+ 
+     if (Name != NULL)
+-        strncpy(NamedColorList ->List[NamedColorList ->nColors].Name, Name,
+-                    sizeof(NamedColorList ->List[NamedColorList ->nColors].Name));
++        strncpy(NamedColorList ->List[NamedColorList ->nColors].Name, Name, cmsMAX_PATH-1);
+    else
+        NamedColorList ->List[NamedColorList ->nColors].Name[0] = 0;
+@@ -735,6 +733,10 @@ cmsSEQ* CMSEXPORT cmsAllocProfileSequenceDescription(cmsContext ContextID, cmsUI
+     Seq -> seq      = (cmsPSEQDESC*) _cmsCalloc(ContextID, n, sizeof(cmsPSEQDESC));
+     Seq -> n        = n;
+ 
++    if (Seq -> seq == NULL) {
++        _cmsFree(ContextID, Seq);
++        return NULL;
++    }
+ 
+     for (i=0; i < n; i++) {
+         Seq -> seq[i].Manufacturer = NULL;
+diff --git openjdk/jdk/src/share/native/sun/java2d/cmm/lcms/cmsopt.c openjdk/jdk/src/share/native/sun/java2d/cmm/lcms/cmsopt.c
+index 7478e5e..4bdf0a7 100644
+--- openjdk/jdk/src/share/native/sun/java2d/cmm/lcms/cmsopt.c
++++ openjdk/jdk/src/share/native/sun/java2d/cmm/lcms/cmsopt.c
+@@ -1179,6 +1179,16 @@ Curves16Data* CurvesAlloc(cmsContext ContextID, int nCurves, int nElements, cmsT
+ 
+         c16->Curves[i] = _cmsCalloc(ContextID, nElements, sizeof(cmsUInt16Number));
+ 
++        if (c16->Curves[i] == NULL) {
++
++            for (j=0; j < i; j++) {
++                _cmsFree(ContextID, c16->Curves[j]);
++            }
++            _cmsFree(ContextID, c16->Curves);
++            _cmsFree(ContextID, c16);
++            return NULL;
++        }
++
+         if (nElements == 256) {
+ 
+             for (j=0; j < nElements; j++) {
+-- 
+1.9.1
+
diff --git a/recipes-core/openjdk/openjdk-7-release-03b21.inc b/recipes-core/openjdk/openjdk-7-release-03b21.inc
index 6f78d10..5b5caff 100644
--- a/recipes-core/openjdk/openjdk-7-release-03b21.inc
+++ b/recipes-core/openjdk/openjdk-7-release-03b21.inc
@@ -94,6 +94,7 @@ ICEDTEAPATCHES = "\
 	file://icedtea-corba-parallel-make.patch;apply=no \
         file://icedtea-zero-hotspotfix.patch;apply=no \
         file://icedtea-CVE-2014-1876-unpack.patch;apply=no \
+        file://icedtea-CVE-2013-4160-Non-happy-path-fixes.patch;apply=no \
 	"
 ICEDTEAPATCHES_append_powerpc = " \
 	file://icedtea-jdk-nio-use-host-cc.patch;apply=no \
@@ -127,6 +128,7 @@ DISTRIBUTION_PATCHES = "\
 	patches/icedtea-corba-parallel-make.patch \
         patches/icedtea-zero-hotspotfix.patch \
         patches/icedtea-CVE-2014-1876-unpack.patch \
+        patches/icedtea-CVE-2013-4160-Non-happy-path-fixes.patch \
 	"
 
 DISTRIBUTION_PATCHES_append_libc-uclibc = "\
-- 
1.9.1

More information about the Openembedded-devel mailing list