Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
Description
While researching for IMAGING-164 I found the following code at
org.apache.commons.imaging.formats.xpm.XpmImageParser::writeImage(...)
final PaletteFactory paletteFactory = new PaletteFactory();
....
SimplePalette palette = null;
int maxColors = WRITE_PALETTE.length;
int charsPerPixel = 1;
while (palette == null) {
palette = paletteFactory.makeExactRgbPaletteSimple(src,
hasTransparency ? maxColors - 1 : maxColors);
if (palette == null) {
maxColors *= WRITE_PALETTE.length;
charsPerPixel++;
}
}
The while loop has no exit when maxColors or charsPerPixel - both int values - overflow. They can overflow because PaletteFactory.makeExactRgbPaletteSimple(...) can return null as found in IMAGING-164.
As far as I know Java doesn't thows an exception when an int flows over - it just "flips" it so after Integer.MAX_VALUE it goes to Integer.MIN_VALUE. So we would have an infinite loop.