commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Groß (JIRA) <j...@apache.org>
Subject [jira] [Commented] (IMAGING-167) Possible infinite loop at XpmImageParser::writeImage(...)
Date Sun, 15 Feb 2015 09:55:11 GMT

    [ https://issues.apache.org/jira/browse/IMAGING-167?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14321900#comment-14321900
] 

Michael Groß commented on IMAGING-167:
--------------------------------------

Proposed a patch at http://github.com/mgmechanics/commons-imaging/tree/IMAGING-167 - it's
only a tiny one.

> Possible infinite loop at XpmImageParser::writeImage(...)
> ---------------------------------------------------------
>
>                 Key: IMAGING-167
>                 URL: https://issues.apache.org/jira/browse/IMAGING-167
>             Project: Commons Imaging
>          Issue Type: Bug
>            Reporter: Michael Groß
>             Fix For: Review Patch
>
>
> While researching for IMAGING-164 I found the following code at
> org.apache.commons.imaging.formats.xpm.XpmImageParser::writeImage(...)
> {noformat}
> final PaletteFactory paletteFactory = new PaletteFactory();
> ....
> SimplePalette palette = null;
>         int maxColors = WRITE_PALETTE.length;
>         int charsPerPixel = 1;
>         while (palette == null) {
>             palette = paletteFactory.makeExactRgbPaletteSimple(src,
>                     hasTransparency ? maxColors - 1 : maxColors);
>             if (palette == null) {
>                 maxColors *= WRITE_PALETTE.length;
>                 charsPerPixel++;
>             }
>         }
> {noformat}
> The while loop has no exit when *maxColors* or *charsPerPixel* - both int values - overflow.
They can overflow because PaletteFactory.makeExactRgbPaletteSimple(...) can return null as
found in IMAGING-164.
> As far as I know Java doesn't thows an exception when an int flows over - it just "flips"
it so after Integer.MAX_VALUE it goes to Integer.MIN_VALUE. So we would have an infinite loop.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message