changeset 10427:180c05796c45

7058618: PNG parser bugs found via zzuf fuzzing Reviewed-by: prr, vadim
author bae
date Thu, 10 Oct 2013 18:59:01 +0400
parents 8fd757f31470
children 0c2ba6a67b0d
files src/share/classes/com/sun/imageio/plugins/png/PNGImageReader.java
diffstat 1 files changed, 30 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/com/sun/imageio/plugins/png/PNGImageReader.java	Fri Oct 04 16:17:59 2013 -0700
+++ b/src/share/classes/com/sun/imageio/plugins/png/PNGImageReader.java	Thu Oct 10 18:59:01 2013 +0400
@@ -688,6 +688,21 @@
             loop: while (true) {
                 int chunkLength = stream.readInt();
                 int chunkType = stream.readInt();
+                int chunkCRC;
+
+                // verify the chunk length
+                if (chunkLength < 0) {
+                    throw new IIOException("Invalid chunk lenght " + chunkLength);
+                };
+
+                try {
+                    stream.mark();
+                    stream.seek(stream.getStreamPosition() + chunkLength);
+                    chunkCRC = stream.readInt();
+                    stream.reset();
+                } catch (IOException e) {
+                    throw new IIOException("Invalid chunk length " + chunkLength);
+                }
 
                 switch (chunkType) {
                 case IDAT_TYPE:
@@ -762,7 +777,11 @@
                     break;
                 }
 
-                int chunkCRC = stream.readInt();
+                // double check whether all chunk data were consumed
+                if (chunkCRC != stream.readInt()) {
+                    throw new IIOException("Failed to read a chunk of type " +
+                            chunkType);
+                }
                 stream.flushBefore(stream.getStreamPosition());
             }
         } catch (IOException e) {
@@ -1277,6 +1296,16 @@
             is = new BufferedInputStream(is);
             this.pixelStream = new DataInputStream(is);
 
+            /*
+             * NB: the PNG spec declares that valid range for width
+             * and height is [1, 2^31-1], so here we may fail to allocate
+             * a buffer for destination image due to memory limitation.
+             *
+             * However, the recovery strategy for this case should be
+             * defined on the level of application, so we will not
+             * try to estimate the required amount of the memory and/or
+             * handle OOM in any way.
+             */
             theImage = getDestination(param,
                                       getImageTypes(0),
                                       width,