--- a/src/java.desktop/share/classes/com/sun/imageio/plugins/png/PNGImageReader.java Fri Jan 26 15:38:18 2018 -0800
+++ b/src/java.desktop/share/classes/com/sun/imageio/plugins/png/PNGImageReader.java Tue Jan 30 11:53:00 2018 +0530
@@ -428,12 +428,16 @@
private void parse_iCCP_chunk(int chunkLength) throws IOException {
String keyword = readNullTerminatedString("ISO-8859-1", 80);
+ int compressedProfileLength = chunkLength - keyword.length() - 2;
+ if (compressedProfileLength <= 0) {
+ throw new IIOException("iCCP chunk length is not proper");
+ }
metadata.iCCP_profileName = keyword;
metadata.iCCP_compressionMethod = stream.readUnsignedByte();
byte[] compressedProfile =
- new byte[chunkLength - keyword.length() - 2];
+ new byte[compressedProfileLength];
stream.readFully(compressedProfile);
metadata.iCCP_compressedProfile = compressedProfile;
@@ -463,7 +467,11 @@
String text;
pos = stream.getStreamPosition();
- byte[] b = new byte[(int)(chunkStart + chunkLength - pos)];
+ int textLength = (int)(chunkStart + chunkLength - pos);
+ if (textLength <= 0) {
+ throw new IIOException("iTXt chunk length is not proper");
+ }
+ byte[] b = new byte[textLength];
stream.readFully(b);
if (compressionFlag == 1) { // Decompress the text
@@ -515,12 +523,16 @@
private void parse_sPLT_chunk(int chunkLength)
throws IOException, IIOException {
metadata.sPLT_paletteName = readNullTerminatedString("ISO-8859-1", 80);
- chunkLength -= metadata.sPLT_paletteName.length() + 1;
+ int remainingChunkLength = chunkLength -
+ (metadata.sPLT_paletteName.length() + 1);
+ if (remainingChunkLength <= 0) {
+ throw new IIOException("sPLT chunk length is not proper");
+ }
int sampleDepth = stream.readUnsignedByte();
metadata.sPLT_sampleDepth = sampleDepth;
- int numEntries = chunkLength/(4*(sampleDepth/8) + 2);
+ int numEntries = remainingChunkLength/(4*(sampleDepth/8) + 2);
metadata.sPLT_red = new int[numEntries];
metadata.sPLT_green = new int[numEntries];
metadata.sPLT_blue = new int[numEntries];
@@ -558,9 +570,13 @@
private void parse_tEXt_chunk(int chunkLength) throws IOException {
String keyword = readNullTerminatedString("ISO-8859-1", 80);
+ int textLength = chunkLength - keyword.length() - 1;
+ if (textLength <= 0) {
+ throw new IIOException("tEXt chunk length is not proper");
+ }
metadata.tEXt_keyword.add(keyword);
- byte[] b = new byte[chunkLength - keyword.length() - 1];
+ byte[] b = new byte[textLength];
stream.readFully(b);
metadata.tEXt_text.add(new String(b, "ISO-8859-1"));
@@ -596,7 +612,7 @@
// Alpha table may have fewer entries than RGB palette
int maxEntries = metadata.PLTE_red.length;
int numEntries = chunkLength;
- if (numEntries > maxEntries) {
+ if (numEntries > maxEntries && maxEntries > 0) {
processWarningOccurred(
"tRNS chunk has more entries than prior PLTE chunk, ignoring extras.");
numEntries = maxEntries;
@@ -652,12 +668,16 @@
private void parse_zTXt_chunk(int chunkLength) throws IOException {
String keyword = readNullTerminatedString("ISO-8859-1", 80);
+ int textLength = chunkLength - keyword.length() - 2;
+ if (textLength <= 0) {
+ throw new IIOException("zTXt chunk length is not proper");
+ }
metadata.zTXt_keyword.add(keyword);
int method = stream.readUnsignedByte();
metadata.zTXt_compressionMethod.add(method);
- byte[] b = new byte[chunkLength - keyword.length() - 2];
+ byte[] b = new byte[textLength];
stream.readFully(b);
metadata.zTXt_text.add(new String(inflate(b), "ISO-8859-1"));