Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8188756

ImageIO throws IndexOutOfBoundsException on faulty JPEG

XMLWordPrintable

      FULL PRODUCT VERSION :
      openjdk version "9"
      OpenJDK Runtime Environment (build 9+181)
      OpenJDK 64-Bit Server VM (build 9+181, mixed mode)

      Also present in other versions I tested with (Oracle 7 and 8, OpenJDK 8).

      ADDITIONAL OS VERSION INFORMATION :
      Linux 4.10.0-35-generic #39-Ubuntu SMP Wed Sep 13 07:46:59 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

      A DESCRIPTION OF THE PROBLEM :
      I fuzzed JPEG loading with javax.imageio.ImageIO using the AFL-based fuzzing tool Kelinci (https://github.com/isstac/kelinci). It found an input on which ImageIO.read() throws an IndexOutOfBoundsException. Per the specification, it should throw an IOException instead for faulty JPEGs.

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      Run the attached test case on the faulty JPEG image generated by Kelinci. Unfortunately I cannot attach the JPEG here, please get in touch and I'll send it.

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      ImageIO.read() throws an IIOException, which is then caught by an application using the library.
      ACTUAL -
      ImageIO.read() throws an IndexOutOfBoundsException, crashing the thread it was called from.

      ERROR MESSAGES/STACK TRACES THAT OCCUR :
      Exception in thread "main" java.lang.IndexOutOfBoundsException: Index -1 out-of-bounds for length 0
      at java.base/jdk.internal.util.Preconditions.outOfBounds(Preconditions.java:64)
      at java.base/jdk.internal.util.Preconditions.outOfBoundsCheckIndex(Preconditions.java:70)
      at java.base/jdk.internal.util.Preconditions.checkIndex(Preconditions.java:248)
      at java.base/java.util.Objects.checkIndex(Objects.java:372)
      at java.base/java.util.ArrayList.get(ArrayList.java:439)
      at java.desktop/com.sun.imageio.plugins.jpeg.JPEGImageReader.checkTablesOnly(JPEGImageReader.java:378)
      at java.desktop/com.sun.imageio.plugins.jpeg.JPEGImageReader.gotoImage(JPEGImageReader.java:493)
      at java.desktop/com.sun.imageio.plugins.jpeg.JPEGImageReader.readHeader(JPEGImageReader.java:716)
      at java.desktop/com.sun.imageio.plugins.jpeg.JPEGImageReader.readInternal(JPEGImageReader.java:1173)
      at java.desktop/com.sun.imageio.plugins.jpeg.JPEGImageReader.read(JPEGImageReader.java:1153)
      at java.desktop/javax.imageio.ImageIO.read(ImageIO.java:1468)
      at java.desktop/javax.imageio.ImageIO.read(ImageIO.java:1315)
      at DriverKelinci.main(DriverKelinci.java:18)

      REPRODUCIBILITY :
      This bug can be reproduced always.

      ---------- BEGIN SOURCE ----------
      import java.awt.image.BufferedImage;
      import java.io.File;
      import java.io.IOException;

      import javax.imageio.ImageIO;

      public class DriverKelinci
      {
        public static void main(final String[] args) {

          if (args.length != 1) {
            System.err.println("Expects file name as parameter");
            return;
          }

          try {
            File imageFile = new File(args[0]);
            BufferedImage bi = ImageIO.read(imageFile);
          } catch (IOException e) {
            e.printStackTrace();
          }

          System.out.println("Done.");
        }
      }

      ---------- END SOURCE ----------

        1. NegSegmentSize.JPG
          0.0 kB
        2. DriverKelinci.java
          0.5 kB

            jdv Jayathirth D V
            webbuggrp Webbug Group
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: