commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Bourg (Reopened) (JIRA)" <j...@apache.org>
Subject [jira] [Reopened] (SANSELAN-39) Sanselan can be made to crash with an image with wrong data in EXIF header
Date Tue, 20 Dec 2011 11:17:30 GMT

     [ https://issues.apache.org/jira/browse/SANSELAN-39?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Emmanuel Bourg reopened SANSELAN-39:
------------------------------------

    
> Sanselan can be made to crash with an image with wrong data in EXIF header
> --------------------------------------------------------------------------
>
>                 Key: SANSELAN-39
>                 URL: https://issues.apache.org/jira/browse/SANSELAN-39
>             Project: Commons Sanselan
>          Issue Type: Bug
>            Reporter: Jacobo Tarrio
>             Fix For: 1.0
>
>
> Investigating a query of death, I found an image that had an EXIF tag that specified
start=1342195485 and length=974913536.
> When ByteSourceArray.getBlock(start,length) was called, it passed the test "if (start
+ length > bytes.length)", as start+length is a negative number. This caused the server
to try to allocate a buffer 950 MB big and then save it in "bytes" starting at position 1.3G.
This produces either a heap space exhaustion or an array out of bounds error.
> The fix would consist of replacing the condition with one like the following:
> if (start < 0 || length < 0 || start + length < 0 || start + length > bytes.length)

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message