stan/jdk-24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

7058618: PNG parser bugs found via zzuf fuzzing

Browse Source 
Reviewed-by: prr, vadim
This commit is contained in:
Andrew Brygin 2013-10-10 18:59:01 +04:00
parent c1c21c0ff1
commit 347f54c3e2
1 changed files with 30 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
jdk/src/share/classes/com/sun/imageio/plugins/png/PNGImageReader.java
View File

@ -688,6 +688,21 @@ public class PNGImageReader extends ImageReader {
loop: while (true) {
int chunkLength = stream.readInt();
int chunkType = stream.readInt();
int chunkCRC;
// verify the chunk length
if (chunkLength < 0) {
throw new IIOException("Invalid chunk lenght " + chunkLength);
};
try {
stream.mark();
stream.seek(stream.getStreamPosition() + chunkLength);
chunkCRC = stream.readInt();
stream.reset();
} catch (IOException e) {
throw new IIOException("Invalid chunk length " + chunkLength);
}
switch (chunkType) {
case IDAT_TYPE:
@ -762,7 +777,11 @@ public class PNGImageReader extends ImageReader {
break;
}
int chunkCRC = stream.readInt();
// double check whether all chunk data were consumed
if (chunkCRC != stream.readInt()) {
throw new IIOException("Failed to read a chunk of type " +
chunkType);
}
stream.flushBefore(stream.getStreamPosition());
}
} catch (IOException e) {
@ -1277,6 +1296,16 @@ public class PNGImageReader extends ImageReader {
is = new BufferedInputStream(is);
this.pixelStream = new DataInputStream(is);
/*
* NB: the PNG spec declares that valid range for width
* and height is [1, 2^31-1], so here we may fail to allocate
* a buffer for destination image due to memory limitation.
*
* However, the recovery strategy for this case should be
* defined on the level of application, so we will not
* try to estimate the required amount of the memory and/or
* handle OOM in any way.
*/
theImage = getDestination(param,
getImageTypes(0),
width,