Mercurial Mercurial > jdk-sandbox / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
7058611: JPG parser bugs found via zzuf fuzzing
authorbae
Mon, 14 Oct 2013 16:00:03 +0400
changeset 21223 daef7d30537c
parent 21222 69edb4f345a3
child 21224 58a31574ac84
7058611: JPG parser bugs found via zzuf fuzzing Reviewed-by: prr, vadim
jdk/src/share/classes/com/sun/imageio/plugins/jpeg/MarkerSegment.java file | annotate | diff | comparison | revisions
jdk/src/share/classes/com/sun/imageio/plugins/jpeg/SOFMarkerSegment.java file | annotate | diff | comparison | revisions 
--- a/jdk/src/share/classes/com/sun/imageio/plugins/jpeg/MarkerSegment.java	Mon Oct 14 15:49:05 2013 +0400
+++ b/jdk/src/share/classes/com/sun/imageio/plugins/jpeg/MarkerSegment.java	Mon Oct 14 16:00:03 2013 +0400
@@ -28,6 +28,7 @@
 import javax.imageio.metadata.IIOInvalidTreeException;
 import javax.imageio.metadata.IIOMetadataNode;
 import javax.imageio.stream.ImageOutputStream;
+import javax.imageio.IIOException;
 
 import java.io.IOException;
 
@@ -60,6 +61,10 @@
         length = (buffer.buf[buffer.bufPtr++] & 0xff) << 8;
         length |= buffer.buf[buffer.bufPtr++] & 0xff;
         length -= 2;  // JPEG length includes itself, we don't
+
+        if (length < 0) {
+            throw new IIOException("Invalid segment length: " + length);
+        }
         buffer.bufAvail -= 3;
         // Now that we know the true length, ensure that we've got it,
         // or at least a bufferful if length is too big.
--- a/jdk/src/share/classes/com/sun/imageio/plugins/jpeg/SOFMarkerSegment.java	Mon Oct 14 15:49:05 2013 +0400
+++ b/jdk/src/share/classes/com/sun/imageio/plugins/jpeg/SOFMarkerSegment.java	Mon Oct 14 16:00:03 2013 +0400
@@ -78,7 +78,7 @@
         numLines |= buffer.buf[buffer.bufPtr++] & 0xff;
         samplesPerLine = (buffer.buf[buffer.bufPtr++] & 0xff) << 8;
         samplesPerLine |= buffer.buf[buffer.bufPtr++] & 0xff;
-        int numComponents = buffer.buf[buffer.bufPtr++];
+        int numComponents = buffer.buf[buffer.bufPtr++] & 0xff;
         componentSpecs = new ComponentSpec [numComponents];
         for (int i = 0; i < numComponents; i++) {
             componentSpecs[i] = new ComponentSpec(buffer);
jdk-sandbox