8347377: Add validation checks for ICC_Profile header fields

Co-authored-by: Anton Voznia <[email protected]>
Backport-of: ed8945a68a67dd51a7cfa332905941afccc12b36

Author: 2 people

src/java.desktop/share/classes/java/awt/color/ICC_ColorSpace.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2021, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -140,10 +140,11 @@ public ICC_ColorSpace(ICC_Profile profile) {
         if (profileClass != ICC_Profile.CLASS_INPUT
                 && profileClass != ICC_Profile.CLASS_DISPLAY
                 && profileClass != ICC_Profile.CLASS_OUTPUT
+                && profileClass != ICC_Profile.CLASS_DEVICELINK
                 && profileClass != ICC_Profile.CLASS_COLORSPACECONVERSION
                 && profileClass != ICC_Profile.CLASS_NAMEDCOLOR
                 && profileClass != ICC_Profile.CLASS_ABSTRACT) {
-            throw new IllegalArgumentException("Invalid profile type");
+            throw new IllegalArgumentException("Invalid profile class");
         }
 
         thisProfile = profile;

src/java.desktop/share/classes/java/awt/color/ICC_Profile.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2021, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -751,6 +751,7 @@ private interface BuiltInProfile {
      */
     public static final int icXYZNumberX = 8;
 
+    private static final int HEADER_SIZE = 128;
 
     /**
      * Constructs an {@code ICC_Profile} object with a given ID.
@@ -799,10 +800,15 @@ public static ICC_Profile getInstance(byte[] data) {
         ProfileDataVerifier.verify(data);
         Profile p;
         try {
+            byte[] theHeader = new byte[HEADER_SIZE];
+            System.arraycopy(data, 0, theHeader, 0, HEADER_SIZE);
+            verifyHeader(theHeader);
+
             p = CMSManager.getModule().loadProfile(data);
         } catch (CMMException c) {
             throw new IllegalArgumentException("Invalid ICC Profile Data");
         }
+
         try {
             if (getColorSpaceType(p) == ColorSpace.TYPE_GRAY
                     && getData(p, icSigMediaWhitePointTag) != null
@@ -991,6 +997,10 @@ public int getProfileClass() {
             return info.profileClass;
         }
         byte[] theHeader = getData(icSigHead);
+        return getProfileClass(theHeader);
+    }
+
+    private static int getProfileClass(byte[] theHeader) {
         int theClassSig = intFromBigEndian(theHeader, icHdrDeviceClass);
         return switch (theClassSig) {
             case icSigInputClass -> CLASS_INPUT;
@@ -1032,6 +1042,11 @@ private static int getColorSpaceType(Profile p) {
         return iccCStoJCS(theColorSpaceSig);
     }
 
+    private static int getColorSpaceType(byte[] theHeader) {
+        int theColorSpaceSig = intFromBigEndian(theHeader, icHdrColorSpace);
+        return iccCStoJCS(theColorSpaceSig);
+    }
+
     /**
      * Returns the color space type of the Profile Connection Space (PCS).
      * Returns one of the color space type constants defined by the ColorSpace
@@ -1051,6 +1066,21 @@ public int getPCSType() {
         return iccCStoJCS(thePCSSig);
     }
 
+    private static int getPCSType(byte[] theHeader) {
+        int thePCSSig = intFromBigEndian(theHeader, icHdrPcs);
+        int theDeviceClass = intFromBigEndian(theHeader, icHdrDeviceClass);
+
+        if (theDeviceClass == icSigLinkClass) {
+            return iccCStoJCS(thePCSSig);
+        } else {
+            return switch (thePCSSig) {
+                case icSigXYZData -> ColorSpace.TYPE_XYZ;
+                case icSigLabData -> ColorSpace.TYPE_Lab;
+                default -> throw new IllegalArgumentException("Unexpected PCS type");
+            };
+        }
+    }
+
     /**
      * Write this {@code ICC_Profile} to a file.
      *
@@ -1129,9 +1159,42 @@ private static byte[] getData(Profile p, int tagSignature) {
      * @see #getData
      */
     public void setData(int tagSignature, byte[] tagData) {
+        if (tagSignature == ICC_Profile.icSigHead) {
+            verifyHeader(tagData);
+        }
         CMSManager.getModule().setTagData(cmmProfile(), tagSignature, tagData);
     }
 
+    private static void verifyHeader(byte[] data) {
+        if (data == null || data.length < HEADER_SIZE) {
+            throw new IllegalArgumentException("Invalid header data");
+        }
+        getProfileClass(data);
+        getColorSpaceType(data);
+        getPCSType(data);
+        checkRenderingIntent(data);
+    }
+
+    private static boolean checkRenderingIntent(byte[] header) {
+        int index = ICC_Profile.icHdrRenderingIntent;
+
+        /* According to ICC spec, only the least-significant 16 bits shall be
+         * used to encode the rendering intent. The most significant 16 bits
+         * shall be set to zero. Thus, we are ignoring two most significant
+         * bytes here. Please refer ICC Spec Document for more details.
+         */
+        int renderingIntent = ((header[index+2] & 0xff) <<  8) |
+                              (header[index+3] & 0xff);
+
+        switch (renderingIntent) {
+            case icPerceptual, icMediaRelativeColorimetric,
+                    icSaturation, icAbsoluteColorimetric -> {
+                return true;
+            }
+            default -> throw new IllegalArgumentException("Unknown Rendering Intent");
+        }
+    }
+
     /**
      * Returns the number of color components in the "input" color space of this
      * profile. For example if the color space type of this profile is