backports of JDK-8313048, JDK-8313105, JDK-8313056 (#175)

Author: johanvos

modules/javafx.graphics/src/main/java/com/sun/glass/ui/Pixels.java

@@ -85,25 +85,22 @@ public static int getNativeFormat() {
     private final float scaley;
 
     protected Pixels(final int width, final int height, final ByteBuffer pixels) {
-        this.width = width;
-        this.height = height;
-        this.bytesPerComponent = 1;
-        this.bytes = pixels.slice();
-        if ((this.width <= 0) || (this.height <= 0) || ((this.width * this.height * 4) > this.bytes.capacity())) {
-            throw new IllegalArgumentException("Too small byte buffer size "+this.width+"x"+this.height+" ["+(this.width*this.height*4)+"] > "+this.bytes.capacity());
-        }
-
-        this.ints = null;
-        this.scalex = 1.0f;
-        this.scaley = 1.0f;
+        this(width, height, pixels, 1.0f, 1.0f);
     }
 
     protected Pixels(final int width, final int height, final ByteBuffer pixels, float scalex, float scaley) {
         this.width = width;
         this.height = height;
         this.bytesPerComponent = 1;
         this.bytes = pixels.slice();
-        if ((this.width <= 0) || (this.height <= 0) || ((this.width * this.height * 4) > this.bytes.capacity())) {
+
+        if (this.width <= 0 || this.height <= 0 ||
+                this.width > ((Integer.MAX_VALUE / 4) / this.height)) {
+
+            throw new IllegalArgumentException("Invalid width*height");
+        }
+
+        if ((this.width * this.height * 4) > this.bytes.capacity()) {
             throw new IllegalArgumentException("Too small byte buffer size "+this.width+"x"+this.height+" ["+(this.width*this.height*4)+"] > "+this.bytes.capacity());
         }
 
@@ -113,25 +110,22 @@ protected Pixels(final int width, final int height, final ByteBuffer pixels, flo
     }
 
     protected Pixels(final int width, final int height, IntBuffer pixels) {
-        this.width = width;
-        this.height = height;
-        this.bytesPerComponent = 4;
-        this.ints = pixels.slice();
-        if ((this.width <= 0) || (this.height <= 0) || ((this.width * this.height) > this.ints.capacity())) {
-            throw new IllegalArgumentException("Too small int buffer size "+this.width+"x"+this.height+" ["+(this.width*this.height)+"] > "+this.ints.capacity());
-        }
-
-        this.bytes = null;
-        this.scalex = 1.0f;
-        this.scaley = 1.0f;
+        this(width, height, pixels, 1.0f, 1.0f);
     }
 
     protected Pixels(final int width, final int height, IntBuffer pixels, float scalex, float scaley) {
         this.width = width;
         this.height = height;
         this.bytesPerComponent = 4;
         this.ints = pixels.slice();
-        if ((this.width <= 0) || (this.height <= 0) || ((this.width * this.height) > this.ints.capacity())) {
+
+        if (this.width <= 0 || this.height <= 0 ||
+                this.width > ((Integer.MAX_VALUE / 4) / this.height)) {
+
+            throw new IllegalArgumentException("Invalid width*height");
+        }
+
+        if ((this.width * this.height) > this.ints.capacity()) {
             throw new IllegalArgumentException("Too small int buffer size "+this.width+"x"+this.height+" ["+(this.width*this.height)+"] > "+this.ints.capacity());
         }
 
@@ -238,6 +232,7 @@ public final void asByteBuffer(ByteBuffer bb) {
             throw new RuntimeException("Too small buffer.");
         }
         _fillDirectByteBuffer(bb);
+        bb.rewind();
     }
 
     // This method is called from the native code to reduce the number of JNI up-calls.

modules/javafx.graphics/src/main/java/com/sun/glass/ui/gtk/GtkPixels.java

@@ -25,7 +25,6 @@
 package com.sun.glass.ui.gtk;
 
 import com.sun.glass.ui.Pixels;
-import java.nio.Buffer;
 import java.nio.ByteBuffer;
 import java.nio.IntBuffer;
 
@@ -52,31 +51,21 @@ protected void _fillDirectByteBuffer(ByteBuffer bb) {
         // Taken from MacPixels
         if (this.bytes != null) {
             this.bytes.rewind();
-            if (this.bytes.isDirect()) {
-                _copyPixels(bb, this.bytes, getWidth()*getHeight());
-            } else {
-                bb.put(this.bytes);
-            }
+            bb.put(this.bytes);
             this.bytes.rewind();
         } else {
             this.ints.rewind();
-            if (this.ints.isDirect()) {
-                _copyPixels(bb, this.ints, getWidth()*getHeight());
-            } else {
-                for (int i=0; i<this.ints.capacity(); i++) {
-                    int data = this.ints.get();
-                    bb.put((byte)((data)&0xff));
-                    bb.put((byte)((data>>8)&0xff));
-                    bb.put((byte)((data>>16)&0xff));
-                    bb.put((byte)((data>>24)&0xff));
-                }
+            for (int i=0; i<this.ints.capacity(); i++) {
+                int data = this.ints.get();
+                bb.put((byte)((data)&0xff));
+                bb.put((byte)((data>>8)&0xff));
+                bb.put((byte)((data>>16)&0xff));
+                bb.put((byte)((data>>24)&0xff));
             }
             this.ints.rewind();
         }
     }
 
-    protected native void _copyPixels(Buffer dst, Buffer src, int size);
-
     @Override
     protected native void _attachInt(long ptr, int w, int h, IntBuffer ints, int[] array, int offset);
 

modules/javafx.graphics/src/main/java/com/sun/glass/ui/mac/MacPixels.java

@@ -24,7 +24,6 @@
  */
 package com.sun.glass.ui.mac;
 
-import java.nio.Buffer;
 import java.nio.ByteBuffer;
 import java.nio.IntBuffer;
 
@@ -69,29 +68,21 @@ protected MacPixels(int width, int height, IntBuffer data, float scalex, float s
     protected void _fillDirectByteBuffer(ByteBuffer bb) {
         if (this.bytes != null) {
             this.bytes.rewind();
-            if (this.bytes.isDirect() == true) {
-                _copyPixels(bb, this.bytes, getWidth()*getHeight());
-            } else {
-                bb.put(this.bytes);
-            }
+            bb.put(this.bytes);
             this.bytes.rewind();
         } else {
             this.ints.rewind();
-            if (this.ints.isDirect() == true) {
-                _copyPixels(bb, this.ints, getWidth()*getHeight());
-            } else {
-                for (int i=0; i<this.ints.capacity(); i++) {
-                    int data = this.ints.get();
-                    bb.put((byte)((data>>0)&0xff));
-                    bb.put((byte)((data>>8)&0xff));
-                    bb.put((byte)((data>>16)&0xff));
-                    bb.put((byte)((data>>24)&0xff));
-                }
+            for (int i=0; i<this.ints.capacity(); i++) {
+                int data = this.ints.get();
+                bb.put((byte)((data>>0)&0xff));
+                bb.put((byte)((data>>8)&0xff));
+                bb.put((byte)((data>>16)&0xff));
+                bb.put((byte)((data>>24)&0xff));
             }
             this.ints.rewind();
         }
     }
-    native protected void _copyPixels(Buffer src, Buffer dst, int size);
+
     @Override native protected void _attachInt(long ptr, int w, int h, IntBuffer ints, int[] array, int offset);
     @Override native protected void _attachByte(long ptr, int w, int h, ByteBuffer bytes, byte[] array, int offset);
 

modules/javafx.graphics/src/main/java/com/sun/glass/ui/mac/MacView.java

@@ -99,9 +99,9 @@ static int getMultiClickMaxY_impl() {
                                 pixels.getWidth(), pixels.getHeight(), pixels.getScaleX(), pixels.getScaleY());
         }
     }
-    native void _uploadPixelsDirect(long viewPtr, Buffer pixels, int width, int height, float scaleX, float scaleY);
-    native void _uploadPixelsByteArray(long viewPtr, byte[] pixels, int offset, int width, int height, float scaleX, float scaleY);
-    native void _uploadPixelsIntArray(long viewPtr, int[] pixels, int offset, int width, int height, float scaleX, float scaleY);
+    private native void _uploadPixelsDirect(long viewPtr, Buffer pixels, int width, int height, float scaleX, float scaleY);
+    private native void _uploadPixelsByteArray(long viewPtr, byte[] pixels, int offset, int width, int height, float scaleX, float scaleY);
+    private native void _uploadPixelsIntArray(long viewPtr, int[] pixels, int offset, int width, int height, float scaleX, float scaleY);
 
     @Override
     protected void notifyResize(int width, int height) {

modules/javafx.graphics/src/main/native-font/directwrite.cpp

@@ -2167,10 +2167,14 @@ JNIEXPORT jbyteArray JNICALL OS_NATIVE(CreateAlphaTexture)
     /* In Only */
     if (arg2) lparg2 = getRECTFields(env, arg2, &_arg2);
     if (!lparg2) return NULL;
+    if (lparg2->right <= lparg2->left) return NULL;
+    if (lparg2->bottom <= lparg2->top) return NULL;
     DWRITE_TEXTURE_TYPE textureType = (DWRITE_TEXTURE_TYPE)arg1;
     UINT32 width = lparg2->right - lparg2->left;
     UINT32 height = lparg2->bottom - lparg2->top;
     UINT32 bpp = textureType == DWRITE_TEXTURE_CLEARTYPE_3x1 ? 3 : 1;
+    if (height > UINT32_MAX / bpp) return NULL;
+    if (height > 0 && width > UINT32_MAX / (height * bpp)) return NULL;
     UINT32 bufferSize = width * height * bpp;
     BYTE * buffer = new (std::nothrow) BYTE[bufferSize];
     HRESULT hr = ((IDWriteGlyphRunAnalysis *)arg0)->CreateAlphaTexture(textureType, lparg2, buffer, bufferSize);
@@ -2233,6 +2237,10 @@ JNIEXPORT jint JNICALL OS_NATIVE(GetGlyphs)
     if (arg15) if ((lparg15 = env->GetShortArrayElements(arg15, NULL)) == NULL) goto fail;
     if (arg16) if ((lparg16 = env->GetShortArrayElements(arg16, NULL)) == NULL) goto fail;
     if (arg17) if ((lparg17 = env->GetIntArrayElements(arg17, NULL)) == NULL) goto fail;
+    if (textStart < 0) goto fail;
+    if (!arg1) goto fail;
+    if (arg2 <= 0 || arg2 > env->GetArrayLength(arg1)) goto fail;
+    if (textStart > env->GetArrayLength(arg1) - arg2) goto fail;
     const WCHAR* text = (const WCHAR*)(lparg1 + textStart);
 
     hr = ((IDWriteTextAnalyzer *)arg0)->GetGlyphs(text,
@@ -2297,6 +2305,10 @@ JNIEXPORT jint JNICALL OS_NATIVE(GetGlyphPlacements)
     if (arg15) if ((lparg15 = env->GetIntArrayElements(arg15, NULL)) == NULL) goto fail;
     if (arg17) if ((lparg17 = env->GetFloatArrayElements(arg17, NULL)) == NULL) goto fail;
     if (arg18) if ((lparg18 = env->GetFloatArrayElements(arg18, NULL)) == NULL) goto fail;
+    if (textStart < 0) goto fail;
+    if (!arg1) goto fail;
+    if (arg4 <= 0 || arg4 > env->GetArrayLength(arg1)) goto fail;
+    if (textStart > env->GetArrayLength(arg1) - arg4) goto fail;
     const WCHAR* text = (const WCHAR*)(lparg1 + textStart);
 
     hr = ((IDWriteTextAnalyzer *)arg0)->GetGlyphPlacements(text,

modules/javafx.graphics/src/main/native-glass/gtk/GlassPixels.cpp

@@ -40,25 +40,6 @@ static void my_free(guchar *pixels, gpointer data) {
 
 extern "C" {
 
-/*
- * Class:     com_sun_glass_ui_gtk_GtkPixels
- * Method:    _copyPixels
- * Signature: (Ljava/nio/Buffer;Ljava/nio/Buffer;I)V
- */
-JNIEXPORT void JNICALL Java_com_sun_glass_ui_gtk_GtkPixels__1copyPixels
-  (JNIEnv *env, jobject obj, jobject jDst, jobject jSrc, jint jSize)
-{
-    (void)obj;
-
-    //Taken from MacPixels (and fixed)
-    void *src = env->GetDirectBufferAddress(jSrc);
-    void *dst = env->GetDirectBufferAddress(jDst);
-    if ((src != NULL) && (dst != NULL) && (jSize > 0))
-    {
-        memcpy(dst, src, jSize * 4);
-    }
-}
-
 /*
  * Class:     com_sun_glass_ui_gtk_GtkPixels
  * Method:    _attachInt
@@ -69,15 +50,35 @@ JNIEXPORT void JNICALL Java_com_sun_glass_ui_gtk_GtkPixels__1attachInt
 {
     (void)obj;
 
+    if (!ptr) return;
+    if (!array && !ints) return;
+    if (offset < 0) return;
+    if (w <= 0 || h <= 0) return;
+
+    if (w > (((INT_MAX - offset) / 4) / h))
+    {
+        return;
+    }
+
     jint *data;
     GdkPixbuf **pixbuf;
     guint8 *dataRGBA;
 
+    jsize numElem;
+    if (array == NULL) {
+        numElem = env->GetDirectBufferCapacity(ints);
+    } else {
+        numElem = env->GetArrayLength(array);
+    }
+
+    if ((w * h + offset) > numElem)
+    {
+        return;
+    }
+
     if (array == NULL) {
         data = (jint*) env->GetDirectBufferAddress(ints);
-        assert((w*h*4 + offset * 4) == env->GetDirectBufferCapacity(ints));
     } else {
-        assert((w*h + offset) == env->GetArrayLength(array));
         data = (jint*) env->GetPrimitiveArrayCritical(array, 0);
     }
 
@@ -101,15 +102,35 @@ JNIEXPORT void JNICALL Java_com_sun_glass_ui_gtk_GtkPixels__1attachByte
 {
     (void)obj;
 
+    if (!ptr) return;
+    if (!array && !bytes) return;
+    if (offset < 0) return;
+    if (w <= 0 || h <= 0) return;
+
+    if (w > (((INT_MAX - offset) / 4) / h))
+    {
+        return;
+    }
+
     jbyte *data;
     GdkPixbuf **pixbuf;
     guint8 *dataRGBA;
 
+    jsize numElem;
+    if (array == NULL) {
+        numElem = env->GetDirectBufferCapacity(bytes);
+    } else {
+        numElem = env->GetArrayLength(array);
+    }
+
+    if ((w * h * 4 + offset) > numElem)
+    {
+        return;
+    }
+
     if (array == NULL) {
         data = (jbyte*) env->GetDirectBufferAddress(bytes);
-        assert((w*h*4 + offset) == env->GetDirectBufferCapacity(bytes));
     } else {
-        assert((w*h*4 + offset) == env->GetArrayLength(array));
         data = (jbyte*) env->GetPrimitiveArrayCritical(array, 0);
     }
 

modules/javafx.graphics/src/main/native-glass/gtk/GlassView.cpp

@@ -185,6 +185,9 @@ JNIEXPORT void JNICALL Java_com_sun_glass_ui_gtk_GtkView__1uploadPixelsDirect
 {
     (void)jView;
 
+    if (!ptr) return;
+    if (!buffer) return;
+
     GlassView* view = JLONG_TO_GLASSVIEW(ptr);
     if (view->current_window) {
         void *data = env->GetDirectBufferAddress(buffer);
@@ -203,10 +206,24 @@ JNIEXPORT void JNICALL Java_com_sun_glass_ui_gtk_GtkView__1uploadPixelsIntArray
 {
     (void)obj;
 
+    if (!ptr) return;
+    if (!array) return;
+    if (offset < 0) return;
+    if (width <= 0 || height <= 0) return;
+
+    if (width > ((INT_MAX - offset) / height))
+    {
+        return;
+    }
+
+    if ((width * height + offset) > env->GetArrayLength(array))
+    {
+        return;
+    }
+
     GlassView* view = JLONG_TO_GLASSVIEW(ptr);
     if (view->current_window) {
         int *data = NULL;
-        assert((width*height + offset) == env->GetArrayLength(array));
         data = (int*)env->GetPrimitiveArrayCritical(array, 0);
 
         view->current_window->paint(data + offset, width, height);
@@ -225,11 +242,25 @@ JNIEXPORT void JNICALL Java_com_sun_glass_ui_gtk_GtkView__1uploadPixelsByteArray
 {
     (void)obj;
 
+    if (!ptr) return;
+    if (!array) return;
+    if (offset < 0) return;
+    if (width <= 0 || height <= 0) return;
+
+    if (width > (((INT_MAX - offset) / 4) / height))
+    {
+        return;
+    }
+
+    if ((4 * width * height + offset) > env->GetArrayLength(array))
+    {
+        return;
+    }
+
     GlassView* view = JLONG_TO_GLASSVIEW(ptr);
     if (view->current_window) {
         unsigned char *data = NULL;
 
-        assert((4*width*height + offset) == env->GetArrayLength(array));
         data = (unsigned char*)env->GetPrimitiveArrayCritical(array, 0);
 
         view->current_window->paint(data + offset, width, height);