8313064: General enhancements of image handling

Reviewed-by: rhalade, jdv, kcr

Author: arapte

modules/javafx.graphics/src/main/native-glass/win/Pixels.cpp

@@ -32,10 +32,36 @@
 
 Bitmap::Bitmap(int width, int height)
 {
-    BYTE *mpixels = new BYTE[width * height];
-    memset(mpixels, 0, width * height);
-    Attach(::CreateBitmap(width, height, 1, 1, mpixels));
-    delete[] mpixels;
+    if (width <= 0 || height <= 0) {
+        return;
+    }
+
+    int numPlanes = 1;
+    int bitCount = 1; // monochrome bitmap
+    // refer : Doc of ::CreateBitmap(): Each scan line in the rectangle must be word aligned
+    if (width > INT_MAX - 15) {
+        fprintf(stderr, "Bitmap: Failed to create monochrome bitmap for icon.\n");
+        return;
+    }
+    int scanLength = (((width * numPlanes * bitCount + 15) >> 4) << 1);
+
+    if (scanLength > INT_MAX / height) {
+        fprintf(stderr, "Bitmap: Failed to create monochrome bitmap for icon.\n");
+        return;
+    }
+
+    int bufSize = scanLength * height;
+    BYTE *mpixels = new BYTE[bufSize];
+    if (mpixels != NULL) {
+        memset(mpixels, 0, bufSize);
+        HBITMAP bmp = ::CreateBitmap(width, height, numPlanes, bitCount, mpixels);
+        if (bmp != NULL) {
+            Attach(bmp);
+        } else {
+            fprintf(stderr, "Bitmap: Failed to create monochrome bitmap for icon.\n");
+        }
+        delete[] mpixels;
+    }
     ASSERT((HBITMAP)*this);
 }
 

modules/javafx.graphics/src/main/native-glass/win/Utils.h

@@ -124,8 +124,15 @@ class DNTString {
     DNTString(int limit) :
        m_limit(limit), m_length(0), m_substrings(NULL), m_count(0)
     {
+        if (limit < MIN_LIMIT) {
+            m_limit = limit = MIN_LIMIT;
+        }
         wszStr = new wchar_t[limit];
-        memset(wszStr, 0, limit*sizeof(wchar_t));
+        if (wszStr) {
+            memset(wszStr, 0, limit * sizeof(wchar_t));
+        } else {
+            m_limit = MIN_LIMIT;
+        }
     }
     ~DNTString() {
         if (wszStr) {
@@ -146,17 +153,25 @@ class DNTString {
         wchar_t * const oldStr = wszStr;
         const size_t oldLimit = m_limit;
 
+        if (limit < MIN_LIMIT) {
+            limit = MIN_LIMIT;
+        }
         m_limit = limit;
-        wszStr = new wchar_t[limit];
-        memset(wszStr, 0, limit*sizeof(wchar_t));
+        wszStr = new wchar_t[m_limit];
+        if (wszStr) {
+            memset(wszStr, 0, m_limit * sizeof(wchar_t));
 
-        if (copy && oldStr) {
-            wmemcpy_s(wszStr, m_limit - 1, oldStr, min(oldLimit - 1, m_limit - 1));
-            m_length = min(m_length, m_limit - 2);
-        }
+            if (copy && oldStr) {
+                wmemcpy_s(wszStr, m_limit - 1, oldStr, min(oldLimit - 1, m_limit - 1));
+                m_length = min(m_length, m_limit - MIN_LIMIT);
+            }
 
-        if (oldStr) {
-            delete[] oldStr;
+            if (oldStr) {
+                delete[] oldStr;
+            }
+        } else {
+            wszStr = oldStr;
+            m_limit = oldLimit;
         }
     }
 
@@ -166,31 +181,53 @@ class DNTString {
     }
 
     wchar_t* substring(UINT i) {
+        if (wszStr == NULL) {
+            return NULL;
+        }
         calculateSubstrings();
         return wszStr+m_substrings[i];
     }
 
     // appends the count characters of the src string to the DNT string
     void append(const wchar_t *wszSrc, const size_t count, bool allowGrow = false) {
+        if (wszSrc == NULL) {
+            return;
+        }
         if (allowGrow) {
+            if (count > SIZE_MAX - m_length - 2) {
+                return;
+            }
             if (m_length + count > m_limit - 2) {
                 const size_t GROWTH_RATE = 2; // consider parameterizing this const
 
-                setLimit((m_length + count + 2)*GROWTH_RATE, true);
+                if ((m_length + count + 2) < (SIZE_MAX / GROWTH_RATE)) {
+                    setLimit((m_length + count + 2) * GROWTH_RATE, true);
+                } else {
+                    setLimit((m_length + count + 2), true);
+                }
             }
         }
 
-        // "-1" because this is a _double_ null terminated string
-        wcsncpy_s(wszStr + m_length, m_limit - m_length - 1, wszSrc, count);
-        m_length += count;
-        if (m_length > m_limit) {
-            m_length = m_limit;
+        if (m_limit - m_length - 1 >= count) {
+            // "-1" because this is a _double_ null terminated string
+            int res = wcsncpy_s(wszStr + m_length, m_limit - m_length - 1, wszSrc, count);
+            if (res == 0) { // wcsncpy_s succeeded
+                m_length += count;
+                if (m_length > m_limit) {
+                    m_length = m_limit;
+                }
+            } else {
+                m_length = 0;
+            }
         }
     }
 
     // recalculates the length of the DNT string
     // use the function when wszStr could be modified directly
     void calculateLength() {
+        if (wszStr == NULL) {
+            return;
+        }
         size_t i = 0;
         while(wszStr[i] != L'\0' || wszStr[i+1] != L'\0') {
             i++;
@@ -205,6 +242,9 @@ class DNTString {
 private:
 
     void calculateSubstrings() {
+        if (wszStr == NULL) {
+            return;
+        }
         if (m_substrings)
             return;
 
@@ -230,6 +270,7 @@ class DNTString {
 
     wchar_t *wszStr;
     size_t m_length, m_limit;
+    static const size_t MIN_LIMIT = 2;
 
     size_t *m_substrings;
     UINT m_count; // the count of the substrings

modules/javafx.graphics/src/main/native-prism-d3d/D3DContext.cc

@@ -629,24 +629,27 @@ HRESULT D3DContext::setDeviceParametersFor3D() {
     return res;
 }
 
-/*
- * Note: this method assumes that pIndices is not null
- */
-static HRESULT fillQuadIndices(IDirect3DIndexBuffer9 *pIndices, int maxQuads) {
-    short * data = 0;
-    HRESULT hr = pIndices->Lock(0, maxQuads * 6 * sizeof(short), (void **)&data, 0);
-    if (SUCCEEDED(hr) && data) {
-        for (int i = 0; i != maxQuads; ++i) {
-            int vtx = i * 4;
-            int idx = i * 6;
-            data[idx + 0] = vtx + 0;
-            data[idx + 1] = vtx + 1;
-            data[idx + 2] = vtx + 2;
-            data[idx + 3] = vtx + 2;
-            data[idx + 4] = vtx + 1;
-            data[idx + 5] = vtx + 3;
+HRESULT D3DContext::createIndexBuffer() {
+    RETURN_STATUS_IF_NULL(pd3dDevice, S_FALSE);
+    HRESULT hr = pd3dDevice->CreateIndexBuffer(sizeof(short) * 6 * MAX_BATCH_QUADS,
+        D3DUSAGE_WRITEONLY, D3DFMT_INDEX16, getResourcePool(), &pIndices, 0);
+    // fill index buffer
+    if (hr == D3D_OK && pIndices) {
+        short* data = 0;
+        hr = pIndices->Lock(0, 0, (void **)&data, 0);
+        if (SUCCEEDED(hr) && data) {
+            for (int i = 0; i < MAX_BATCH_QUADS; i++) {
+                int vtx = i * 4;
+                int idx = i * 6;
+                data[idx + 0] = vtx + 0;
+                data[idx + 1] = vtx + 1;
+                data[idx + 2] = vtx + 2;
+                data[idx + 3] = vtx + 2;
+                data[idx + 4] = vtx + 1;
+                data[idx + 5] = vtx + 3;
+            }
+            hr = pIndices->Unlock();
         }
-        hr = pIndices->Unlock();
     }
     return hr;
 }
@@ -699,11 +702,7 @@ HRESULT D3DContext::InitDevice(IDirect3DDevice9 *pd3dDevice)
 //    RETURN_STATUS_IF_FAILED(res);
 
     if (pIndices == NULL) {
-        res = pd3dDevice->CreateIndexBuffer(sizeof(short) * 6 * MAX_BATCH_QUADS,
-            D3DUSAGE_WRITEONLY, D3DFMT_INDEX16, getResourcePool(), &pIndices, 0);
-        if (pIndices) {
-            res = fillQuadIndices(pIndices, MAX_BATCH_QUADS);
-        }
+        res = createIndexBuffer();
         RETURN_STATUS_IF_FAILED(res);
     }
 //    res = pd3dDevice->SetIndices(pIndices);

modules/javafx.graphics/src/main/native-prism-d3d/D3DContext.h

@@ -261,6 +261,7 @@ class D3DContext {
 
     D3DContext(IDirect3D9 *pd3d, IDirect3D9Ex *pd3dEx, UINT adapter);
     HRESULT InitDevice(IDirect3DDevice9 *d3dDevice);
+    HRESULT createIndexBuffer();
     HRESULT InitContextCaps();
     IDirect3DDevice9        *pd3dDevice;
     IDirect3DDevice9Ex      *pd3dDeviceEx;

modules/javafx.graphics/src/main/native-prism-es2/GLContext.c

@@ -1011,6 +1011,11 @@ jboolean doReadPixels(JNIEnv *env, jlong nativeCtxInfo, jint length, jobject buf
         return JNI_FALSE;
     }
 
+    if (width <= 0 || height <= 0) {
+        fprintf(stderr, "doReadPixels: width or height is <= 0\n");
+        return JNI_FALSE;
+    }
+
     // sanity check, do we have enough memory
     // length, width and height are non-negative
     if ((length / 4 / width) < height) {

modules/javafx.graphics/src/main/native-prism-sw/JAbstractSurface.c

@@ -29,6 +29,7 @@
 #include <PiscesSysutils.h>
 
 #include <PiscesSurface.inl>
+#include <limits.h>
 
 #define SURFACE_NATIVE_PTR 0
 #define SURFACE_LAST SURFACE_NATIVE_PTR
@@ -74,12 +75,33 @@ Java_com_sun_pisces_AbstractSurface_getRGBImpl(JNIEnv* env, jobject objectHandle
                   (*env)->GetLongField(env, objectHandle,
                                        fieldIds[SURFACE_NATIVE_PTR]));
 
-    CORRECT_DIMS(surface, x, y, width, height, dstX, dstY);
+    if (surface == NULL)  {
+        JNI_ThrowNew(env, "java/lang/IllegalArgumentException", "Invalid surface");
+        return;
+    }
+    int surfaceWidth = surface->width;
+    int surfaceHeight = surface->height;
+    if (x < 0 || x >= surfaceWidth ||
+        y < 0 || y >= surfaceHeight ||
+        width  < 0 || width  > (surfaceWidth  - x) ||
+        height < 0 || height > (surfaceHeight - y) ||
+        scanLength < width) {
+        JNI_ThrowNew(env, "java/lang/IllegalArgumentException", "Illegal arguments");
+        return;
+    }
 
     if ((width > 0) && (height > 0)) {
         jint* dstData;
         jsize dstDataLength = (*env)->GetArrayLength(env, arrayHandle);
+        if (dstY > ((INT_MAX - offset - dstX) / scanLength)) {
+            JNI_ThrowNew(env, "java/lang/IllegalArgumentException", "Out of bounds offset or scan length");
+            return;
+        }
         jint dstStart = offset + dstY * scanLength + dstX;
+        if (scanLength > ((INT_MAX - dstStart) / height)) {
+            JNI_ThrowNew(env, "java/lang/IllegalArgumentException", "Out of bounds offset or scan length");
+            return;
+        }
         jint dstEnd = dstStart + height * scanLength - 1;
         if ((dstStart < 0) || (dstStart >= dstDataLength) || (dstEnd < 0) || (dstEnd >= dstDataLength)) {
             JNI_ThrowNew(env, "java/lang/IllegalArgumentException", "Out of range access of buffer");
@@ -130,12 +152,35 @@ Java_com_sun_pisces_AbstractSurface_setRGBImpl(JNIEnv* env, jobject objectHandle
                   (*env)->GetLongField(env, objectHandle,
                                        fieldIds[SURFACE_NATIVE_PTR]));
 
-    CORRECT_DIMS(surface, x, y, width, height, srcX, srcY);
+    if (surface == NULL)  {
+        JNI_ThrowNew(env, "java/lang/IllegalArgumentException", "Invalid surface");
+        return;
+    }
+    int surfaceWidth = surface->width;
+    int surfaceHeight = surface->height;
+    if (x < 0 || x >= surfaceWidth ||
+        y < 0 || y >= surfaceHeight ||
+        width  < 0 || width  > (surfaceWidth  - x) ||
+        height < 0 || height > (surfaceHeight - y) ||
+        scanLength < width) {
+        JNI_ThrowNew(env, "java/lang/IllegalArgumentException", "Illegal arguments");
+        return;
+    }
 
     if ((width > 0) && (height > 0)) {
         jint* srcData;
         jsize srcDataLength = (*env)->GetArrayLength(env, arrayHandle);
+
+        if (srcY > ((INT_MAX - offset - srcX) / scanLength)) {
+            JNI_ThrowNew(env, "java/lang/IllegalArgumentException", "Out of bounds offset or scan length");
+            return;
+        }
         jint srcStart = offset + srcY * scanLength + srcX;
+
+        if (scanLength > ((INT_MAX - srcStart) / height)) {
+            JNI_ThrowNew(env, "java/lang/IllegalArgumentException", "Out of bounds offset or scan length");
+            return;
+        }
         jint srcEnd = srcStart + height * scanLength - 1;
         if ((srcStart < 0) || (srcStart >= srcDataLength) || (srcEnd < 0) || (srcEnd >= srcDataLength)) {
             JNI_ThrowNew(env, "java/lang/IllegalArgumentException", "out of range access of buffer");

modules/javafx.graphics/src/main/native-prism-sw/JPiscesRenderer.c

@@ -248,13 +248,17 @@ JNIEXPORT void JNICALL Java_com_sun_pisces_PiscesRenderer_setTextureImpl
 {
     Renderer* rdr;
     Transform6 textureTransform;
-    jint *data;
+    jint *data = NULL;
+    jsize dataLength = (*env)->GetArrayLength(env, dataArray);
 
-    transform_get6(&textureTransform, env, jTransform);
+    if (width > 0 && height > 0 && (width < (INT_MAX / height / sizeof(jint)))
+        && stride > 0 && (height - 1) <= (dataLength - width) / stride) {
+        transform_get6(&textureTransform, env, jTransform);
 
-    rdr = (Renderer*)JLongToPointer((*env)->GetLongField(env, this, fieldIds[RENDERER_NATIVE_PTR]));
+        rdr = (Renderer*)JLongToPointer((*env)->GetLongField(env, this, fieldIds[RENDERER_NATIVE_PTR]));
 
-    data = (jint*)(*env)->GetPrimitiveArrayCritical(env, dataArray, NULL);
+        data = (jint*)(*env)->GetPrimitiveArrayCritical(env, dataArray, NULL);
+    }
     if (data != NULL) {
         jint *alloc_data = my_malloc(jint, width * height);
         if (alloc_data != NULL) {

modules/javafx.graphics/src/main/native-prism-sw/PiscesPaint.c

@@ -1121,30 +1121,32 @@ genTexturePaintMultiply(Renderer *rdr, jint height) {
         break;
     case PAINT_LINEAR_GRADIENT:
     case PAINT_RADIAL_GRADIENT:
-        {
-        jint *imagePaint = my_malloc(jint, w * height);
-        if (imagePaint != NULL) {
-            if (rdr->_prevPaintMode == PAINT_LINEAR_GRADIENT) {
-                genLinearGradientPaint(rdr, height);
-            } else {
-                genRadialGradientPaint(rdr, height);
-            }
-            genTexturePaintTarget(rdr, imagePaint, height);
-            for (i = 0; i < height; i++) {
-                idx = i * paintStride;
-                for (j = 0; j < w; j++) {
-                    pval = paint[idx + j];
-                    tval = imagePaint[idx + j];
-                    palpha_1 = ((pval >> 24) & 0xFF) + 1;
-                    oalpha = (palpha_1 * ((tval >> 24) & 0xFF)) >> 8;
-                    ored = ((((((pval >> 16) & 0xFF) + 1) * ((tval >> 16) & 0xFF)) >> 8) * palpha_1) >> 8;
-                    ogreen = ((((((pval >> 8) & 0xFF) + 1) * ((tval >> 8) & 0xFF)) >> 8) * palpha_1) >> 8;
-                    oblue = (((((pval & 0xFF) + 1) * (tval & 0xFF)) >> 8) * palpha_1) >> 8;
-                    paint[idx + j] = (oalpha << 24) | (ored << 16) | (ogreen << 8) | oblue;
+        if (w > 0 && height > 0 && (w < (INT_MAX / height / sizeof(jint)))) {
+            jint *imagePaint = my_malloc(jint, w * height);
+            if (imagePaint != NULL) {
+                if (rdr->_prevPaintMode == PAINT_LINEAR_GRADIENT) {
+                    genLinearGradientPaint(rdr, height);
+                } else {
+                    genRadialGradientPaint(rdr, height);
                 }
+                genTexturePaintTarget(rdr, imagePaint, height);
+                for (i = 0; i < height; i++) {
+                    idx = i * paintStride;
+                    for (j = 0; j < w; j++) {
+                        pval = paint[idx + j];
+                        tval = imagePaint[idx + j];
+                        palpha_1 = ((pval >> 24) & 0xFF) + 1;
+                        oalpha = (palpha_1 * ((tval >> 24) & 0xFF)) >> 8;
+                        ored = ((((((pval >> 16) & 0xFF) + 1) * ((tval >> 16) & 0xFF)) >> 8) * palpha_1) >> 8;
+                        ogreen = ((((((pval >> 8) & 0xFF) + 1) * ((tval >> 8) & 0xFF)) >> 8) * palpha_1) >> 8;
+                        oblue = (((((pval & 0xFF) + 1) * (tval & 0xFF)) >> 8) * palpha_1) >> 8;
+                        paint[idx + j] = (oalpha << 24) | (ored << 16) | (ogreen << 8) | oblue;
+                    }
+                }
+                my_free(imagePaint);
             }
-            my_free(imagePaint);
-        }
+        } else {
+            fprintf(stderr, "Invalid dimensions: width: %d, height: %d\n", w, height);
         }
         break;
     }

modules/javafx.graphics/src/main/native-prism-sw/PiscesSurface.h

@@ -62,24 +62,6 @@
  */
 #define TYPE_INT_ARGB_PRE   com_sun_pisces_RendererBase_TYPE_INT_ARGB_PRE
 
-#define CORRECT_DIMS(_surface, _x, _y, _w, _h, _x1, _y1) \
-  if (_x < 0) {   \
-    _x1 -= _x;    \
-    _w += _x;     \
-    _x = 0;       \
-  }               \
-  if (_y < 0) {   \
-    _y1 -= _y;    \
-    _h += _y;     \
-    _y = 0;       \
-  }               \
-  if ((_x + _w) > (_surface)->width) {  \
-    _w = (_surface)->width - _x;        \
-  }                                   \
-  if ((_y + _h) > (_surface)->height) { \
-    _h = (_surface)->height - _y;       \
-  }
-
 typedef struct _Surface {
     jint width;
     jint height;