I. BACKGROUND

http://en.wikipedia.org/wiki/JavaSE
http://openjdk.java.net/projects/jdk7u/
http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk  // Java and native sources


II. DESCRIPTION

The Java's BytePackedRaster.verify() method is vulnerable to the signed 
integer overflow what allows to bypass "dataBitOffset" boundary checks:

    // sun.awt.image.BytePackedRaster
    private void verify (boolean strictCheck) {
        // Make sure data for Raster is in a legal range
        if (dataBitOffset < 0) {
            throw new RasterFormatException("Data offsets must be >= 0");
        }

        int lastbit = (dataBitOffset
                       + (height-1) * scanlineStride * 8
                       + (width-1) * pixelBitStride
                       + pixelBitStride - 1);
        if (lastbit / 8 >= data.length) {
            throw new RasterFormatException("raster dimensions overflow array bounds");
        }
        if (strictCheck) {
            if (height > 1) {
                lastbit = width * pixelBitStride - 1;
                if (lastbit / 8 >= scanlineStride) {
                    throw new RasterFormatException("data for adjacent scanlines overlaps");
                }
            }
        }
    }

Thereafter BufImgSurfaceData.createDataBP() passes negative scanlineStride into 
the native Java_sun_awt_image_BufImgSurfaceData_initRaster() w/o any checks:
  
    // sun.awt.image.BufImgSurfaceData
    public static SurfaceData createDataBP(BufferedImage bImg,
                                           SurfaceType sType) {
        BytePackedRaster bpRaster = (BytePackedRaster)bImg.getRaster();
        BufImgSurfaceData bisd = new BufImgSurfaceData(bpRaster.getDataBuffer(), bImg, sType);
        ColorModel cm = bImg.getColorModel();
        IndexColorModel icm = ((cm instanceof IndexColorModel) ? (IndexColorModel) cm : null);
        
        bisd.initRaster(bpRaster.getDataStorage(),
                        bpRaster.getDataBitOffset() / 8,
                        bpRaster.getDataBitOffset() & 7,
                        bpRaster.getWidth(),
                        bpRaster.getHeight(),
                        0,
                        bpRaster.getScanlineStride(),
                        icm);
        return bisd;
    }

The native out-of-bounds scanlineStride value allows to write outside the
raster's data storage and cause the memory corruption.  



III. ANALYSIS

This vulnerability allows remote attackers to execute arbitrary code on vulnerable 
installations of Oracle Java. User interaction is required to exploit this 
vulnerability in that the target must visit a malicious page or open a malicious file.



IV. DETECTION
Oracle Java SE 6u41, 7u15
