8242557: Add length limit for strings in PNGImageWriter

Reviewed-by: prr, psadhukhan
2020-04-30 20:03:36 +05:30 · 2020-04-30 20:03:36 +05:30 · 188106be4d
commit 188106be4d
parent 7dad5d261a
2 changed files with 140 additions and 2 deletions
--- a/src/java.desktop/share/classes/com/sun/imageio/plugins/png/PNGImageWriter.java
+++ b/src/java.desktop/share/classes/com/sun/imageio/plugins/png/PNGImageWriter.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -513,6 +513,9 @@ public final class PNGImageWriter extends ImageWriter {
    private void write_iCCP() throws IOException {
        if (metadata.iCCP_present) {
            ChunkStream cs = new ChunkStream(PNGImageReader.iCCP_TYPE, stream);
+            if (metadata.iCCP_profileName.length() > 79) {
+                throw new IIOException("iCCP profile name is longer than 79");
+            }
            cs.writeBytes(metadata.iCCP_profileName);
            cs.writeByte(0); // null terminator

@ -701,6 +704,9 @@ public final class PNGImageWriter extends ImageWriter {
        if (metadata.sPLT_present) {
            ChunkStream cs = new ChunkStream(PNGImageReader.sPLT_TYPE, stream);

+            if (metadata.sPLT_paletteName.length() > 79) {
+                throw new IIOException("sPLT palette name is longer than 79");
+            }
            cs.writeBytes(metadata.sPLT_paletteName);
            cs.writeByte(0); // null terminator

@ -748,6 +754,9 @@ public final class PNGImageWriter extends ImageWriter {
        while (keywordIter.hasNext()) {
            ChunkStream cs = new ChunkStream(PNGImageReader.tEXt_TYPE, stream);
            String keyword = keywordIter.next();
+            if (keyword.length() > 79) {
+                throw new IIOException("tEXt keyword is longer than 79");
+            }
            cs.writeBytes(keyword);
            cs.writeByte(0);

@ -777,7 +786,11 @@ public final class PNGImageWriter extends ImageWriter {
        while (keywordIter.hasNext()) {
            ChunkStream cs = new ChunkStream(PNGImageReader.iTXt_TYPE, stream);

-            cs.writeBytes(keywordIter.next());
+            String keyword = keywordIter.next();
+            if (keyword.length() > 79) {
+                throw new IIOException("iTXt keyword is longer than 79");
+            }
+            cs.writeBytes(keyword);
            cs.writeByte(0);

            Boolean compressed = flagIter.next();
@ -810,6 +823,9 @@ public final class PNGImageWriter extends ImageWriter {
        while (keywordIter.hasNext()) {
            ChunkStream cs = new ChunkStream(PNGImageReader.zTXt_TYPE, stream);
            String keyword = keywordIter.next();
+            if (keyword.length() > 79) {
+                throw new IIOException("tEXt keyword is longer than 79");
+            }
            cs.writeBytes(keyword);
            cs.writeByte(0);

--- a/test/jdk/javax/imageio/plugins/png/WriteInvalidKeywordTest.java
+++ b/test/jdk/javax/imageio/plugins/png/WriteInvalidKeywordTest.java
@ -0,0 +1,122 @@
+/*
+ * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug     8242557
+ * @summary Test verifies that PNGImageWriter does not write
+ *          longer than 79 length null terminated strings.
+ * @run     main WriteInvalidKeywordTest
+ */
+
+import java.awt.Graphics2D;
+import java.awt.image.BufferedImage;
+import java.awt.Color;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.util.Iterator;
+import javax.imageio.*;
+import javax.imageio.metadata.IIOInvalidTreeException;
+import javax.imageio.metadata.IIOMetadata;
+import javax.imageio.metadata.IIOMetadataNode;
+import javax.imageio.stream.ImageOutputStream;
+
+public class WriteInvalidKeywordTest {
+
+    private static BufferedImage img;
+    private static ImageWriter writer;
+    private static ImageWriteParam param;
+    private static IIOMetadata metadata;
+
+    private static void initialize(int type) {
+        int width = 1;
+        int height = 1;
+        img = new BufferedImage(width, height, type);
+        Graphics2D g2D = img.createGraphics();
+        g2D.setColor(new Color(255, 255, 255));
+        g2D.fillRect(0, 0, width, width);
+        g2D.dispose();
+
+        Iterator<ImageWriter> iterWriter =
+                ImageIO.getImageWritersBySuffix("png");
+        writer = iterWriter.next();
+
+        param = writer.getDefaultWriteParam();
+        ImageTypeSpecifier specifier =
+                ImageTypeSpecifier.
+                        createFromBufferedImageType(type);
+        metadata = writer.getDefaultImageMetadata(specifier, param);
+    }
+
+    private static void createTEXTNode()
+            throws IIOInvalidTreeException {
+        IIOMetadataNode tEXt_Entry = new IIOMetadataNode("tEXtEntry");
+        // Keyword length greater than 79
+        tEXt_Entry.setAttribute("keyword", "Authored" +
+                "AuthoredAuthoredAuthoredAuthoredAuthoredAuthored" +
+                "AuthoredAuthoredAuthoredAuthored");
+        tEXt_Entry.setAttribute("value", "");
+
+        IIOMetadataNode tEXt = new IIOMetadataNode("tEXt");
+        tEXt.appendChild(tEXt_Entry);
+        IIOMetadataNode root = new IIOMetadataNode("javax_imageio_png_1.0");
+        root.appendChild(tEXt);
+        metadata.mergeTree("javax_imageio_png_1.0", root);
+    }
+
+    private static void writeImage() throws IOException {
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+        ImageOutputStream ios = ImageIO.createImageOutputStream(baos);
+        writer.setOutput(ios);
+        writer.write(metadata, new IIOImage(img, null, metadata), param);
+        writer.dispose();
+        baos.close();
+        ios.close();
+    }
+
+    private static void writePNGTEXTChunk() throws IOException {
+        initialize(BufferedImage.TYPE_BYTE_GRAY);
+        createTEXTNode();
+        writeImage();
+    }
+
+    public static void main(String[] args) throws IOException {
+        // write PNG image with tEXT chunk having keyword length
+        // greater than 79.
+        boolean failed = true;
+        try {
+            writePNGTEXTChunk();
+        } catch (IIOException e) {
+            // we expect it to throw IIOException
+            if (e.getCause().getMessage() ==
+                    "tEXt keyword is longer than 79") {
+                failed = false;
+            }
+        }
+        if (failed) {
+            throw new RuntimeException("Test failed, did not throw " +
+                    "expected exception");
+        }
+    }
+}
+