Uploaded image for project: 'Commons Imaging'
  1. Commons Imaging
  2. IMAGING-203

JPEG segment size not validated

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.0-alpha1
    • Component/s: Format: JPEG
    • Labels:
      None

      Description

      Using my AFL-based fuzzer for Java, Kelinci (https://github.com/isstac/kelinci) I found that a NegativeArraySizeException may be throw when attempting to read an invalid JPEG image.

      Each JPEG segment starts with a two-byte unsigned integer specifying the segment size. Segments are parsed by org.apache.commons.imaging.formats.jpeg.JpegUtils.traverseJFIF(). As the specified size includes these two bytes, the method subtracts 2 from the size before it is used. It then attempts to allocate a buffer for the segment, which fails if the specified size is 0 or 1. The method should throw an ImageReadException instead.

        Attachments

        1. NegSegmentSize.patch
          3 kB
          Rody Kersten
        2. NegSegmentSize.JPG
          0.0 kB
          Rody Kersten

          Activity

            People

            • Assignee:
              kinow Bruno P. Kinoshita
              Reporter:
              rodykersten Rody Kersten
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: