Return-Path: X-Original-To: apmail-commons-issues-archive@minotaur.apache.org Delivered-To: apmail-commons-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 299E217DC0 for ; Thu, 19 Feb 2015 06:51:12 +0000 (UTC) Received: (qmail 66706 invoked by uid 500); 19 Feb 2015 06:51:12 -0000 Delivered-To: apmail-commons-issues-archive@commons.apache.org Received: (qmail 66608 invoked by uid 500); 19 Feb 2015 06:51:12 -0000 Mailing-List: contact issues-help@commons.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: issues@commons.apache.org Delivered-To: mailing list issues@commons.apache.org Received: (qmail 66596 invoked by uid 99); 19 Feb 2015 06:51:11 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 19 Feb 2015 06:51:11 +0000 Date: Thu, 19 Feb 2015 06:51:11 +0000 (UTC) From: "Benedikt Ritter (JIRA)" To: issues@commons.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (IMAGING-167) Possible infinite loop at XpmImageParser::writeImage(...) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/IMAGING-167?page=3Dcom.atlassia= n.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D143= 27054#comment-14327054 ]=20 Benedikt Ritter commented on IMAGING-167: ----------------------------------------- Please create a PR at github. This will make reviewing easier. > Possible infinite loop at XpmImageParser::writeImage(...) > --------------------------------------------------------- > > Key: IMAGING-167 > URL: https://issues.apache.org/jira/browse/IMAGING-167 > Project: Commons Imaging > Issue Type: Bug > Components: Format: JPEG > Reporter: Michael Gro=C3=9F > Labels: github > Fix For: Review Patch > > > While researching for IMAGING-164 I found the following code at > org.apache.commons.imaging.formats.xpm.XpmImageParser::writeImage(...) > {noformat} > final PaletteFactory paletteFactory =3D new PaletteFactory(); > .... > SimplePalette palette =3D null; > int maxColors =3D WRITE_PALETTE.length; > int charsPerPixel =3D 1; > while (palette =3D=3D null) { > palette =3D paletteFactory.makeExactRgbPaletteSimple(src, > hasTransparency ? maxColors - 1 : maxColors); > if (palette =3D=3D null) { > maxColors *=3D WRITE_PALETTE.length; > charsPerPixel++; > } > } > {noformat} > The while loop has no exit when *maxColors* or *charsPerPixel* - both int= values - overflow. They can overflow because PaletteFactory.makeExactRgbPa= letteSimple(...) can return null as found in IMAGING-164. > As far as I know Java doesn't thows an exception when an int flows over -= it just "flips" it so after Integer.MAX_VALUE it goes to Integer.MIN_VALUE= . So we would have an infinite loop. -- This message was sent by Atlassian JIRA (v6.3.4#6332)