Return-Path: X-Original-To: apmail-commons-issues-archive@minotaur.apache.org Delivered-To: apmail-commons-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id F15A297D9 for ; Tue, 20 Dec 2011 11:17:55 +0000 (UTC) Received: (qmail 9497 invoked by uid 500); 20 Dec 2011 11:17:55 -0000 Delivered-To: apmail-commons-issues-archive@commons.apache.org Received: (qmail 9436 invoked by uid 500); 20 Dec 2011 11:17:55 -0000 Mailing-List: contact issues-help@commons.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: issues@commons.apache.org Delivered-To: mailing list issues@commons.apache.org Received: (qmail 9428 invoked by uid 99); 20 Dec 2011 11:17:55 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 20 Dec 2011 11:17:55 +0000 X-ASF-Spam-Status: No, hits=-2002.5 required=5.0 tests=ALL_TRUSTED,RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.116] (HELO hel.zones.apache.org) (140.211.11.116) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 20 Dec 2011 11:17:52 +0000 Received: from hel.zones.apache.org (hel.zones.apache.org [140.211.11.116]) by hel.zones.apache.org (Postfix) with ESMTP id E23D411D932 for ; Tue, 20 Dec 2011 11:17:30 +0000 (UTC) Date: Tue, 20 Dec 2011 11:17:30 +0000 (UTC) From: "Emmanuel Bourg (Reopened) (JIRA)" To: issues@commons.apache.org Message-ID: <525935383.30335.1324379850928.JavaMail.tomcat@hel.zones.apache.org> Subject: [jira] [Reopened] (SANSELAN-39) Sanselan can be made to crash with an image with wrong data in EXIF header MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/SANSELAN-39?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Emmanuel Bourg reopened SANSELAN-39: ------------------------------------ > Sanselan can be made to crash with an image with wrong data in EXIF header > -------------------------------------------------------------------------- > > Key: SANSELAN-39 > URL: https://issues.apache.org/jira/browse/SANSELAN-39 > Project: Commons Sanselan > Issue Type: Bug > Reporter: Jacobo Tarrio > Fix For: 1.0 > > > Investigating a query of death, I found an image that had an EXIF tag that specified start=1342195485 and length=974913536. > When ByteSourceArray.getBlock(start,length) was called, it passed the test "if (start + length > bytes.length)", as start+length is a negative number. This caused the server to try to allocate a buffer 950 MB big and then save it in "bytes" starting at position 1.3G. This produces either a heap space exhaustion or an array out of bounds error. > The fix would consist of replacing the condition with one like the following: > if (start < 0 || length < 0 || start + length < 0 || start + length > bytes.length) -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira