commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Groß (JIRA) <j...@apache.org>
Subject [jira] [Created] (IMAGING-167) Possible infinite loop at XpmImageParser::writeImage(...)
Date Sat, 14 Feb 2015 19:43:11 GMT
Michael Groß created IMAGING-167:
------------------------------------

             Summary: Possible infinite loop at XpmImageParser::writeImage(...)
                 Key: IMAGING-167
                 URL: https://issues.apache.org/jira/browse/IMAGING-167
             Project: Commons Imaging
          Issue Type: Bug
            Reporter: Michael Groß


While researching for IMAGING-164 I found the following code at
org.apache.commons.imaging.formats.xpm.XpmImageParser::writeImage(...)
{noformat}
final PaletteFactory paletteFactory = new PaletteFactory();
....
SimplePalette palette = null;
        int maxColors = WRITE_PALETTE.length;
        int charsPerPixel = 1;
        while (palette == null) {
            palette = paletteFactory.makeExactRgbPaletteSimple(src,
                    hasTransparency ? maxColors - 1 : maxColors);
            if (palette == null) {
                maxColors *= WRITE_PALETTE.length;
                charsPerPixel++;
            }
        }
{noformat}
The while loop has no exit when *maxColors* or *charsPerPixel* - both int values - overflow.
They can overflow because PaletteFactory.makeExactRgbPaletteSimple(...) can return null as
found in IMAGING-164.

As far as I know Java doesn't thows an exception when an int flows over - it just "flips"
it so after Integer.MAX_VALUE it goes to Integer.MIN_VALUE. So we would have an infinite loop.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message