Factories are used to create a raster object verified through a verify() method. By overriding a getNumDataElements method to return 0 the checks can be avoided, and thus malicious raster objects (which blit/change pixel values maliciously to corrupt memory) can be returned and run.
public final BufferedImage filter (BufferedImage src, BufferedImage dst)Each BufferedImage contains hintP->dataOffset hint->numChans which contains values for the ColorModel and SampleModel members of the BufferedImage
- Because the size of the hint is assumed to always be kept the same as the
ColorModel/SampleModelno bounds checks are performed, meaning a maliciously overriden hint can escape the buffer and corrupt heap memory
com.sun.beans.finder.MethodFinder contains insufficient permissions checks which allow users to get method objects from restricted packages such as sun.awt.SUN.Toolkit.