I. BACKGROUND

http://en.wikipedia.org/wiki/JavaSE
http://openjdk.java.net/projects/jdk7u/
http://hg.openjdk.java.net/jdk7u/jdk7u/jdk  // Java and native sources


II. DESCRIPTION

The vulnerable Java's BytePackedRaster.verify() method allows to bypass 
"dataBitOffset" boundary checking by using the signed integer overflow:

    // sun.awt.image.BytePackedRaster
    private void verify(boolean strictCheck)
    {
        if (dataBitOffset < 0)
            throw new RasterFormatException("Data offsets must be >= 0");
        if ((width <= 0) || (height <= 0) || (height > Integer.MAX_VALUE / width))
            throw new RasterFormatException("Invalid raster dimension");
        if (width - 1 > Integer.MAX_VALUE / pixelBitStride)
            throw new RasterFormatException("Invalid raster dimension");
        if ((scanlineStride < 0) || (scanlineStride > Integer.MAX_VALUE / height))
            throw new RasterFormatException("Invalid scanline stride");

        int lastbit = dataBitOffset + (height - 1) * scanlineStride * 8 + (width - 1) * pixelBitStride + pixelBitStride - 1;
        if ((lastbit < 0) || (lastbit / 8 >= data.length))
            throw new RasterFormatException("raster dimensions overflow array bounds");

        if ((strictCheck) && (height > 1))
        {
            lastbit = width * pixelBitStride - 1;
            if (lastbit / 8 >= scanlineStride)
                throw new RasterFormatException("data for adjacent scanlines overlaps");
        }
    }

Thereafter BufImgSurfaceData.createDataBP() passes the out-of-range 
"getDataBitOffset() / 8" value into the native 
Java_sun_awt_image_BufImgSurfaceData_initRaster() w/o any checks:
  
    // sun.awt.image.BufImgSurfaceData
    public static SurfaceData createDataBP(BufferedImage bImg,
                                           SurfaceType sType) {
        BytePackedRaster bpRaster = (BytePackedRaster)bImg.getRaster();
        BufImgSurfaceData bisd = new BufImgSurfaceData(bpRaster.getDataBuffer(), bImg, sType);
        ColorModel cm = bImg.getColorModel();
        IndexColorModel icm = ((cm instanceof IndexColorModel) ? (IndexColorModel) cm : null);
        
        bisd.initRaster(bpRaster.getDataStorage(),
                        bpRaster.getDataBitOffset() / 8,
                        bpRaster.getDataBitOffset() & 7,
                        bpRaster.getWidth(),
                        bpRaster.getHeight(),
                        0,
                        bpRaster.getScanlineStride(),
                        icm);
        return bisd;
    }

This gives the ability to write outside the raster's data storage and cause 
the memory corruption.  



III. ANALYSIS

This vulnerability allows remote attackers to execute arbitrary code on vulnerable 
installations of Oracle Java. User interaction is required to exploit this 
vulnerability in that the target must visit a malicious page or open a malicious file.



IV. DETECTION
Oracle Java SE 6u43, 7u17
