8190332: PngReader throws NegativeArraySizeException/OOM error when IHDR width is very large

Reviewed-by: prr, pnarayanan
2017-11-20 11:02:54 +05:30 · 2017-11-20 11:02:54 +05:30 · a3ceaef3e4
commit a3ceaef3e4
parent d39af471c9
2 changed files with 105 additions and 6 deletions
--- a/src/java.desktop/share/classes/com/sun/imageio/plugins/png/PNGImageReader.java
+++ b/src/java.desktop/share/classes/com/sun/imageio/plugins/png/PNGImageReader.java
@ -1359,14 +1359,18 @@ public class PNGImageReader extends ImageReader {
            this.pixelStream = new DataInputStream(is);
            /*
-             * NB: the PNG spec declares that valid range for width
+             * PNG spec declares that valid range for width
             * and height is [1, 2^31-1], so here we may fail to allocate
             * a buffer for destination image due to memory limitation.
             *
-             * However, the recovery strategy for this case should be
+             * If the read operation triggers OutOfMemoryError, the same
-             * defined on the level of application, so we will not
+             * will be wrapped in an IIOException at PNGImageReader.read
-             * try to estimate the required amount of the memory and/or
+             * method.
-             * handle OOM in any way.
+             *
             * The recovery strategy for this case should be defined at
             * the level of application, so we will not try to estimate
             * the required amount of the memory and/or handle OOM in
             * any way.
             */
            theImage = getDestination(param,
                                      getImageTypes(0),
@ -1671,7 +1675,16 @@ public class PNGImageReader extends ImageReader {
            throw new IndexOutOfBoundsException("imageIndex != 0!");
        }
-        readImage(param);
+        try {
            readImage(param);
        } catch (IOException |
                 IllegalStateException |
                 IllegalArgumentException e)
        {
            throw e;
        } catch (Throwable e) {
            throw new IIOException("Caught exception during read: ", e);
        }
        return theImage;
    }
--- a/test/jdk/javax/imageio/plugins/png/PngLargeIHDRDimensionTest.java
+++ b/test/jdk/javax/imageio/plugins/png/PngLargeIHDRDimensionTest.java
@ -0,0 +1,86 @@
 /*
 * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */
 /*
 * @test
 * @bug     8190332
 * @summary Test verifies whether PNGImageReader throws IIOException
 *          or not when IHDR width value is very high.
 * @run     main PngLargeIHDRDimensionTest
 */
 import java.io.ByteArrayInputStream;
 import java.io.InputStream;
 import java.util.Base64;
 import javax.imageio.IIOException;
 import javax.imageio.ImageIO;
 public class PngLargeIHDRDimensionTest {
    /*
     * IHDR width is very large and when we try to create buffer to store
     * image information of each row it overflows and we get
     * NegativeArraySizeException without the fix for this bug.
     */
    private static String negativeArraySizeExceptionInput = "iVBORw0KGgoAAAANS"
            + "UhEUg////0AAAABEAIAAAA6fptVAAAACklEQVQYV2P4DwABAQEAWk1v8QAAAAB"
            + "JRU5ErkJgggo=";
    /*
     * IHDR width is ((2 to the power of 31) - 2), which is the maximum VM
     * limit to create an array we get OutOfMemoryError without the fix
     * for this bug.
     */
    private static String outOfMemoryErrorInput = "iVBORw0KGgoAAAANSUhEUgAAAAF/"
            + "///+CAAAAAA6fptVAAAACklEQVQYV2P4DwABAQEAWk1v8QAAAABJRU5"
            + "ErkJgggo=";
    private static InputStream input;
    private static Boolean firstTestFailed = true, secondTestFailed = true;
    public static void main(String[] args) throws java.io.IOException {
        byte[] inputBytes = Base64.getDecoder().
                decode(negativeArraySizeExceptionInput);
        input = new ByteArrayInputStream(inputBytes);
        try {
            ImageIO.read(input);
        } catch (IIOException e) {
            firstTestFailed = false;
        }
        inputBytes = Base64.getDecoder().decode(outOfMemoryErrorInput);
        input = new ByteArrayInputStream(inputBytes);
        try {
            ImageIO.read(input);
        } catch (IIOException e) {
            secondTestFailed = false;
        }
        if (firstTestFailed || secondTestFailed) {
            throw new RuntimeException("Test doesn't throw required"
                    + " IIOException");
        }
    }
 }