--- a/jdk/src/share/classes/com/sun/imageio/plugins/png/PNGImageReader.java Fri Oct 04 16:17:59 2013 -0700
+++ b/jdk/src/share/classes/com/sun/imageio/plugins/png/PNGImageReader.java Thu Oct 10 18:59:01 2013 +0400
@@ -688,6 +688,21 @@
loop: while (true) {
int chunkLength = stream.readInt();
int chunkType = stream.readInt();
+ int chunkCRC;
+
+ // verify the chunk length
+ if (chunkLength < 0) {
+ throw new IIOException("Invalid chunk lenght " + chunkLength);
+ };
+
+ try {
+ stream.mark();
+ stream.seek(stream.getStreamPosition() + chunkLength);
+ chunkCRC = stream.readInt();
+ stream.reset();
+ } catch (IOException e) {
+ throw new IIOException("Invalid chunk length " + chunkLength);
+ }
switch (chunkType) {
case IDAT_TYPE:
@@ -762,7 +777,11 @@
break;
}
- int chunkCRC = stream.readInt();
+ // double check whether all chunk data were consumed
+ if (chunkCRC != stream.readInt()) {
+ throw new IIOException("Failed to read a chunk of type " +
+ chunkType);
+ }
stream.flushBefore(stream.getStreamPosition());
}
} catch (IOException e) {
@@ -1277,6 +1296,16 @@
is = new BufferedInputStream(is);
this.pixelStream = new DataInputStream(is);
+ /*
+ * NB: the PNG spec declares that valid range for width
+ * and height is [1, 2^31-1], so here we may fail to allocate
+ * a buffer for destination image due to memory limitation.
+ *
+ * However, the recovery strategy for this case should be
+ * defined on the level of application, so we will not
+ * try to estimate the required amount of the memory and/or
+ * handle OOM in any way.
+ */
theImage = getDestination(param,
getImageTypes(0),
width,