commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rody Kersten (JIRA)" <>
Subject [jira] [Updated] (IMAGING-203) JPEG segment size not validated
Date Tue, 15 Aug 2017 21:30:00 GMT


Rody Kersten updated IMAGING-203:
    Attachment: NegSegmentSize.patch

Patch to fix the problem. Includes a unit test.

> JPEG segment size not validated
> -------------------------------
>                 Key: IMAGING-203
>                 URL:
>             Project: Commons Imaging
>          Issue Type: Bug
>          Components: Format: JPEG
>            Reporter: Rody Kersten
>         Attachments: NegSegmentSize.patch
> Using my AFL-based fuzzer for Java, Kelinci ( I found
that a NegativeArraySizeException may be throw when attempting to read an invalid JPEG image.
> Each JPEG segment starts with a two-byte unsigned integer specifying the segment size.
Segments are parsed by org.apache.commons.imaging.formats.jpeg.JpegUtils.traverseJFIF(). As
the specified size includes these two bytes, the method subtracts 2 from the size before it
is used. It then attempts to allocate a buffer for the segment, which fails if the specified
size is 0 or 1. The method should throw an ImageReadException instead.

This message was sent by Atlassian JIRA

View raw message