OpenJDK / lambda / lambda / jdk
changeset 10427:180c05796c45
7058618: PNG parser bugs found via zzuf fuzzing
Reviewed-by: prr, vadim
| author | bae |
|---|---|
| date | Thu, 10 Oct 2013 18:59:01 +0400 |
| parents | 8fd757f31470 |
| children | 0c2ba6a67b0d |
| files | src/share/classes/com/sun/imageio/plugins/png/PNGImageReader.java |
| diffstat | 1 files changed, 30 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/com/sun/imageio/plugins/png/PNGImageReader.java Fri Oct 04 16:17:59 2013 -0700 +++ b/src/share/classes/com/sun/imageio/plugins/png/PNGImageReader.java Thu Oct 10 18:59:01 2013 +0400 @@ -688,6 +688,21 @@ loop: while (true) { int chunkLength = stream.readInt(); int chunkType = stream.readInt(); + int chunkCRC; + + // verify the chunk length + if (chunkLength < 0) { + throw new IIOException("Invalid chunk lenght " + chunkLength); + }; + + try { + stream.mark(); + stream.seek(stream.getStreamPosition() + chunkLength); + chunkCRC = stream.readInt(); + stream.reset(); + } catch (IOException e) { + throw new IIOException("Invalid chunk length " + chunkLength); + } switch (chunkType) { case IDAT_TYPE: @@ -762,7 +777,11 @@ break; } - int chunkCRC = stream.readInt(); + // double check whether all chunk data were consumed + if (chunkCRC != stream.readInt()) { + throw new IIOException("Failed to read a chunk of type " + + chunkType); + } stream.flushBefore(stream.getStreamPosition()); } } catch (IOException e) { @@ -1277,6 +1296,16 @@ is = new BufferedInputStream(is); this.pixelStream = new DataInputStream(is); + /* + * NB: the PNG spec declares that valid range for width + * and height is [1, 2^31-1], so here we may fail to allocate + * a buffer for destination image due to memory limitation. + * + * However, the recovery strategy for this case should be + * defined on the level of application, so we will not + * try to estimate the required amount of the memory and/or + * handle OOM in any way. + */ theImage = getDestination(param, getImageTypes(0), width,