8292112: Better DragView handling

Reviewed-by: rhalade, arapte, aghaisas
openjdk · Jan 17, 2023 · 13fc07a · 13fc07a
1 parent 09a7f9a
commit 13fc07a
Showing 1 changed file with 20 additions and 3 deletions.
diff --git a/modules/javafx.graphics/src/main/native-glass/gtk/glass_dnd.cpp b/modules/javafx.graphics/src/main/native-glass/gtk/glass_dnd.cpp
@@ -421,7 +421,11 @@ static jobject dnd_target_get_image(JNIEnv *env)
 
     while(*cur_target != 0 && result == NULL) {
         if (dnd_target_receive_data(env, *cur_target, &ctx)) {
-            stream = g_memory_input_stream_new_from_data(ctx.data, ctx.length * (ctx.format / 8),
+            const gint fmtDiv8 = ctx.format / 8;
+            if (ctx.length <= 0 || fmtDiv8 <= 0 || ctx.length >= INT_MAX / fmtDiv8) {
+                continue;
+            }
+            stream = g_memory_input_stream_new_from_data(ctx.data, ctx.length * fmtDiv8,
                     (GDestroyNotify)g_free);
             buf = gdk_pixbuf_new_from_stream(stream, NULL, NULL);
             if (buf) {
@@ -441,6 +445,13 @@ static jobject dnd_target_get_image(JNIEnv *env)
                 w = gdk_pixbuf_get_width(buf);
                 h = gdk_pixbuf_get_height(buf);
                 stride = gdk_pixbuf_get_rowstride(buf);
+
+                if (h <= 0 || stride <= 0 || h >= INT_MAX / stride) {
+                    g_object_unref(buf);
+                    g_object_unref(stream);
+                    continue;
+                }
+
                 data = gdk_pixbuf_get_pixels(buf);
 
                 //Actually, we are converting RGBA to BGRA, but that's the same operation
@@ -474,7 +485,12 @@ static jobject dnd_target_get_raw(JNIEnv *env, GdkAtom target, gboolean string_d
              result = env->NewStringUTF((char *)ctx.data);
              EXCEPTION_OCCURED(env);
         } else {
-            jsize length = ctx.length * (ctx.format / 8);
+            const gint fmtDiv8 = ctx.format / 8;
+            if (ctx.length <= 0 || fmtDiv8 <= 0 || ctx.length >= INT_MAX / fmtDiv8) {
+                g_free(ctx.data);
+                return result;
+            }
+            jsize length = ctx.length * fmtDiv8;
             jbyteArray array = env->NewByteArray(length);
             EXCEPTION_OCCURED(env);
             env->SetByteArrayRegion(array, 0, length, (const jbyte*)ctx.data);
@@ -907,7 +923,8 @@ GdkPixbuf* DragView::get_drag_image(GtkWidget *widget, gboolean* is_raw_image, g
                 h = BSWAP_32(int_raw[1]);
 
                 // We should have enough pixels for requested width and height
-                if ((nraw - whsz) / 4 - w * h >= 0 ) {
+                if (w > 0 && h > 0 &&  w < (INT_MAX / 4) / h &&
+                        (nraw - whsz) / 4 - w * h >= 0) {
                     guchar* data = (guchar*) g_try_malloc0(nraw - whsz);
                     if (data) {
                         memcpy(data, (raw + whsz), nraw - whsz);