commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Damjan Jovanovic (Updated) (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (SANSELAN-17) integer overflow unhandled
Date Thu, 23 Feb 2012 05:35:49 GMT

     [ https://issues.apache.org/jira/browse/SANSELAN-17?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Damjan Jovanovic updated SANSELAN-17:
-------------------------------------

    Attachment: concat-app13.patch

Concatenating the APP13 segments, as this patch does, gets the metadata to parse without an
exception.

However this alone is not the correct solution, as some images contain independent APP13 blocks
which should not be concatenated. Detecting which blocks belong together is a difficult problem,
and http://dev.exiv2.org/issues/533 describes how exiv2 does it (by parsing the internal block
structures).

                
> integer overflow unhandled
> --------------------------
>
>                 Key: SANSELAN-17
>                 URL: https://issues.apache.org/jira/browse/SANSELAN-17
>             Project: Commons Sanselan
>          Issue Type: Bug
>          Components: Format: JPEG
>    Affects Versions: 0.94-incubator
>         Environment: win32, 32 bit operating systems
>            Reporter: Greg Squires
>         Attachments: concat-app13.patch, crash.jpeg
>
>   Original Estimate: 24h
>  Remaining Estimate: 24h
>
> This function can throw an Exception in ByteSourceArray.java due to a negative byte[]
allocation size. The length argument has been found to wrap when called from IccProfileParser.java.
> In 64bit machines, issues related to incorrect metadata, or ICC data can lead to incorrect
and excess memory allocations. These large numbers however cause 32bit negative signed values.
> 	public byte[] getBlock(int start, int length) throws IOException
> 	{
> 		if (start + length > bytes.length)
> 			throw new IOException("Could not read block (block start: " + start
> 					+ ", block length: " + length + ", data length: "
> 					+ bytes.length + ").");
> 		byte result[] = new byte[length];
> 		System.arraycopy(bytes, start, result, 0, length);
> 		return result;
> 	}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message