commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacobo Tarrio (JIRA)" <j...@apache.org>
Subject [jira] Created: (SANSELAN-39) Sanselan can be made to crash with an image with wrong data in EXIF header
Date Tue, 04 May 2010 00:12:55 GMT
Sanselan can be made to crash with an image with wrong data in EXIF header
--------------------------------------------------------------------------

                 Key: SANSELAN-39
                 URL: https://issues.apache.org/jira/browse/SANSELAN-39
             Project: Commons Sanselan
          Issue Type: Bug
            Reporter: Jacobo Tarrio


Investigating a query of death, I found an image that had an EXIF tag that specified start=1342195485
and length=974913536.

When ByteSourceArray.getBlock(start,length) was called, it passed the test "if (start + length
> bytes.length)", as start+length is a negative number. This caused the server to try to
allocate a buffer 950 MB big and then save it in "bytes" starting at position 1.3G. This produces
either a heap space exhaustion or an array out of bounds error.

The fix would consist of replacing the condition with one like the following:

if (start < 0 || length < 0 || start + length < 0 || start + length > bytes.length)

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message