changeset 10432:478f7a9b3b12

7058611: JPG parser bugs found via zzuf fuzzing Reviewed-by: prr, vadim
author bae
date Mon, 14 Oct 2013 16:00:03 +0400
parents cb9fa40f73f7
children b164c8eb1295
files src/share/classes/com/sun/imageio/plugins/jpeg/MarkerSegment.java src/share/classes/com/sun/imageio/plugins/jpeg/SOFMarkerSegment.java
diffstat 2 files changed, 6 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/com/sun/imageio/plugins/jpeg/MarkerSegment.java	Mon Oct 14 15:49:05 2013 +0400
+++ b/src/share/classes/com/sun/imageio/plugins/jpeg/MarkerSegment.java	Mon Oct 14 16:00:03 2013 +0400
@@ -28,6 +28,7 @@
 import javax.imageio.metadata.IIOInvalidTreeException;
 import javax.imageio.metadata.IIOMetadataNode;
 import javax.imageio.stream.ImageOutputStream;
+import javax.imageio.IIOException;
 
 import java.io.IOException;
 
@@ -60,6 +61,10 @@
         length = (buffer.buf[buffer.bufPtr++] & 0xff) << 8;
         length |= buffer.buf[buffer.bufPtr++] & 0xff;
         length -= 2;  // JPEG length includes itself, we don't
+
+        if (length < 0) {
+            throw new IIOException("Invalid segment length: " + length);
+        }
         buffer.bufAvail -= 3;
         // Now that we know the true length, ensure that we've got it,
         // or at least a bufferful if length is too big.
--- a/src/share/classes/com/sun/imageio/plugins/jpeg/SOFMarkerSegment.java	Mon Oct 14 15:49:05 2013 +0400
+++ b/src/share/classes/com/sun/imageio/plugins/jpeg/SOFMarkerSegment.java	Mon Oct 14 16:00:03 2013 +0400
@@ -78,7 +78,7 @@
         numLines |= buffer.buf[buffer.bufPtr++] & 0xff;
         samplesPerLine = (buffer.buf[buffer.bufPtr++] & 0xff) << 8;
         samplesPerLine |= buffer.buf[buffer.bufPtr++] & 0xff;
-        int numComponents = buffer.buf[buffer.bufPtr++];
+        int numComponents = buffer.buf[buffer.bufPtr++] & 0xff;
         componentSpecs = new ComponentSpec [numComponents];
         for (int i = 0; i < numComponents; i++) {
             componentSpecs[i] = new ComponentSpec(buffer);