JNI: Guard against int. overflow w/ ICC profiles

2026-01-18 21:41:20 +01:00 · 2024-09-14 12:42:12 -04:00
parent 9b01f5a057
commit 6d02718d9a
1 changed files with 4 additions and 0 deletions
--- a/java/turbojpeg-jni.c
+++ b/java/turbojpeg-jni.c
@@ -675,6 +675,8 @@ JNIEXPORT jbyteArray JNICALL Java_org_libjpegturbo_turbojpeg_TJDecompressor_getI

  if (tj3GetICCProfile(handle, &iccBuf, &iccSize) == -1)
    THROW_TJ();
+  if (iccSize > (size_t)INT_MAX)
+    THROW_ARG("ICC profile is too large");

  BAILIF0(icc = (*env)->NewByteArray(env, (jsize)iccSize));
  BAILIF0NOEC(jICCBuf = (*env)->GetPrimitiveArrayCritical(env, icc, 0));
@@ -696,6 +698,8 @@ JNIEXPORT jint JNICALL Java_org_libjpegturbo_turbojpeg_TJDecompressor_getICCSize
  GET_HANDLE();

  tj3GetICCProfile(handle, NULL, &iccSize);
+  if (iccSize > (size_t)INT_MAX)
+    THROW_ARG("ICC profile is too large");

 bailout:
  return (jint)iccSize;