-
Bug
-
Resolution: Fixed
-
P3
-
8, 9, 10
-
b01
-
x86_64
-
generic
FULL PRODUCT VERSION :
openjdk version "9.0.1"
OpenJDK Runtime Environment (build 9.0.1+11)
OpenJDK 64-Bit Server VM (build 9.0.1+11, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Ubuntu Linux 64-bit
A DESCRIPTION OF THE PROBLEM :
The ImageReader com.sun.imageio.plugins.png.PNGImageReader throws a NullPointerException when attempting to read malformed PNG image files whose IHDR specifies color type of 3 (i.e. each pixel is a palette index) but does not contain a PLTE section. This exception is not in the API spec; instead an IOException should be thrown indicating that the input is malformed.
The exception is thrown in PngImageReader#getImageTypes() inside a switch-case statement with `case PNG_COLOR_PALETTE`: Here, it is possible for `metadata.PLTE_red`, `metadata.PLTE_green` and `metadata.PLTE_blue` to be NULL, simply because a PLTE section did not exist in the image file.
An easy fix for this would be to check if `metadata.PLTE_present` is true in this case block (as this is set whenever a PLTE section is read), and if not, throw an IIOException indicating that the image is malformed.
This bug was found using AFL.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Compile and run the test program attached below.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
An IOException should be thrown (e.g. javax.imagio.IIOException).
ACTUAL -
A java.lang.NullPointerException is thrown.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Exception in thread "main" java.lang.NullPointerException
at java.desktop/com.sun.imageio.plugins.png.PNGImageReader.getImageTypes(PNGImageReader.java:1491)
at java.desktop/com.sun.imageio.plugins.png.PNGImageReader.readImage(PNGImageReader.java:1325)
at java.desktop/com.sun.imageio.plugins.png.PNGImageReader.read(PNGImageReader.java:1627)
at java.desktop/javax.imageio.ImageIO.read(ImageIO.java:1468)
at java.desktop/javax.imageio.ImageIO.read(ImageIO.java:1363)
at PngReaderNPEIssue.main(PngReaderNPEIssue.java:21)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.io.ByteArrayInputStream;
import java.io.InputStream;
import java.util.Base64;
import javax.imageio.ImageIO;
public class PngReaderNPEIssue {
// PNG image test case (encoded as base64)
private static String inputImageBase64 = "iVBORw0KGgoAAAANSUhEUgAAACA" +
"AAAAgCAMAAABEpIrGAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAA" +
"AAA9QABBFZszM////AAAAM5lmmf/MPkyvFQAAAGFJREFUeNrckzEOwCAMA5OY/7+5NBQ" +
"J1DphYaA3sPgkCwtEE0TVAm7BCkfMBaHgp4JvFwjPulSoITAabwHwk1a0PBB6TSBM+bc" +
"w5ERIlkQiTEPuqTj2ydWbSUhEUgAAUWzl8yZcAgwA0mYDNbDXy5oAAA==";
public static void main(String[] args) throws java.io.IOException {
// Convert test case into input stream
byte[] inputBytes = Base64.getDecoder().decode(inputImageBase64);
InputStream in = new ByteArrayInputStream(inputBytes);
// Attempt to read PNG
ImageIO.read(in); // Throws java.lang.NullPointerException!
}
}
---------- END SOURCE ----------
openjdk version "9.0.1"
OpenJDK Runtime Environment (build 9.0.1+11)
OpenJDK 64-Bit Server VM (build 9.0.1+11, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Ubuntu Linux 64-bit
A DESCRIPTION OF THE PROBLEM :
The ImageReader com.sun.imageio.plugins.png.PNGImageReader throws a NullPointerException when attempting to read malformed PNG image files whose IHDR specifies color type of 3 (i.e. each pixel is a palette index) but does not contain a PLTE section. This exception is not in the API spec; instead an IOException should be thrown indicating that the input is malformed.
The exception is thrown in PngImageReader#getImageTypes() inside a switch-case statement with `case PNG_COLOR_PALETTE`: Here, it is possible for `metadata.PLTE_red`, `metadata.PLTE_green` and `metadata.PLTE_blue` to be NULL, simply because a PLTE section did not exist in the image file.
An easy fix for this would be to check if `metadata.PLTE_present` is true in this case block (as this is set whenever a PLTE section is read), and if not, throw an IIOException indicating that the image is malformed.
This bug was found using AFL.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Compile and run the test program attached below.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
An IOException should be thrown (e.g. javax.imagio.IIOException).
ACTUAL -
A java.lang.NullPointerException is thrown.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Exception in thread "main" java.lang.NullPointerException
at java.desktop/com.sun.imageio.plugins.png.PNGImageReader.getImageTypes(PNGImageReader.java:1491)
at java.desktop/com.sun.imageio.plugins.png.PNGImageReader.readImage(PNGImageReader.java:1325)
at java.desktop/com.sun.imageio.plugins.png.PNGImageReader.read(PNGImageReader.java:1627)
at java.desktop/javax.imageio.ImageIO.read(ImageIO.java:1468)
at java.desktop/javax.imageio.ImageIO.read(ImageIO.java:1363)
at PngReaderNPEIssue.main(PngReaderNPEIssue.java:21)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.io.ByteArrayInputStream;
import java.io.InputStream;
import java.util.Base64;
import javax.imageio.ImageIO;
public class PngReaderNPEIssue {
// PNG image test case (encoded as base64)
private static String inputImageBase64 = "iVBORw0KGgoAAAANSUhEUgAAACA" +
"AAAAgCAMAAABEpIrGAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAA" +
"AAA9QABBFZszM////AAAAM5lmmf/MPkyvFQAAAGFJREFUeNrckzEOwCAMA5OY/7+5NBQ" +
"J1DphYaA3sPgkCwtEE0TVAm7BCkfMBaHgp4JvFwjPulSoITAabwHwk1a0PBB6TSBM+bc" +
"w5ERIlkQiTEPuqTj2ydWbSUhEUgAAUWzl8yZcAgwA0mYDNbDXy5oAAA==";
public static void main(String[] args) throws java.io.IOException {
// Convert test case into input stream
byte[] inputBytes = Base64.getDecoder().decode(inputImageBase64);
InputStream in = new ByteArrayInputStream(inputBytes);
// Attempt to read PNG
ImageIO.read(in); // Throws java.lang.NullPointerException!
}
}
---------- END SOURCE ----------
- links to
