There is a bug in src/solaris/native/sun/awt/awt_ScrollPane.c. This is the native backing code for sun.awt.motif.MScrollPanePeer. MScrollPanePeer is a MPanelPeer which is a MCanvasPeer. However, when the native code malloc's the struct for the native data for the Peer, it only malloc's enough space for a struct ComponentData. However the native backing data should be a struct CanvasData. Where this bug manifests itself is in src/solaris/native/sun/awt/awt_Canvas.c. This code is passed the 'parent' jobject, and assumes that it's native backing data is as large as a struct CanvasData. However, a ScrollPane can be the parent of a Canvas, and when Java_sun_awt_motif_MCanvasPeer_create() executes in this situation, it casts the parent's native pointer to a struct CanvasData and reads memory outside of the malloc'd struct ComponentData towards the end of the function.

The solution I found to this bug is to have awt_ScrollPane.c malloc a struct CanvasData instead of a struct ComponentData. The source diff is in suggested fix.