[IMAGING-13] Sanselan can be made to crash with an image with wrong data in EXIF header - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.0-alpha1
Component/s: None
Labels:
None

Description

Investigating a query of death, I found an image that had an EXIF tag that specified start=1342195485 and length=974913536.

When ByteSourceArray.getBlock(start,length) was called, it passed the test "if (start + length > bytes.length)", as start+length is a negative number. This caused the server to try to allocate a buffer 950 MB big and then save it in "bytes" starting at position 1.3G. This produces either a heap space exhaustion or an array out of bounds error.

The fix would consist of replacing the condition with one like the following:

if (start < 0 || length < 0 || start + length < 0 || start + length > bytes.length)

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Jacobo Tarrio Barreiro

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 04/May/10 00:12

Updated:: 03/May/19 08:39

Resolved:: 20/Dec/11 11:17