-
Bug
-
Resolution: Fixed
-
P2
-
8, 9, 10
-
b01
-
x86_64
-
generic
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8227944 | openjdk8u232 | Jayathirth D V | P2 | Resolved | Fixed | b01 |
| JDK-8227794 | openjdk8u222 | Jayathirth D V | P2 | Resolved | Fixed | b09 |
| JDK-8227902 | openjdk7u | Andrew Hughes | P2 | Resolved | Fixed | master |
FULL PRODUCT VERSION :
openjdk version "9.0.1"
OpenJDK Runtime Environment (build 9.0.1+11)
OpenJDK 64-Bit Server VM (build 9.0.1+11, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Ubuntu Linux 64-bit
A DESCRIPTION OF THE PROBLEM :
The ImageReader com.sun.imageio.plugins.jpeg.JPEGImageReader throws an IndexOutOfBoundsException in calls from method checkTablesOnly() when reading a malformed JPEG file whose header indicates that it is tables-only. This happens when attempting to flush the image input stream up to the last image, but when the length of the list `imagePositions` is zero. This exception is not documented in the API call to ImageIO.read() or ImageReader.read(); instead, the reader should throw an IOException indicating that the image input stream is malformed.
This bug was found using AFL.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Compile and run the test program attached below.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
An IOException should be thrown (specifically, a javax.imagio.IIOException).
ACTUAL -
A java.lang.IndexOutOfBoundsException is thrown (on JDK 8 and below, an ArrayIndexOutOfBoundsException is thrown).
ERROR MESSAGES/STACK TRACES THAT OCCUR :
at java.base/jdk.internal.util.Preconditions.outOfBounds(Preconditions.java:64)
at java.base/jdk.internal.util.Preconditions.outOfBoundsCheckIndex(Preconditions.java:70)
at java.base/jdk.internal.util.Preconditions.checkIndex(Preconditions.java:248)
at java.base/java.util.Objects.checkIndex(Objects.java:372)
at java.base/java.util.ArrayList.get(ArrayList.java:440)
at java.desktop/com.sun.imageio.plugins.jpeg.JPEGImageReader.checkTablesOnly(JPEGImageReader.java:378)
at java.desktop/com.sun.imageio.plugins.jpeg.JPEGImageReader.gotoImage(JPEGImageReader.java:493)
at java.desktop/com.sun.imageio.plugins.jpeg.JPEGImageReader.readHeader(JPEGImageReader.java:716)
at java.desktop/com.sun.imageio.plugins.jpeg.JPEGImageReader.readInternal(JPEGImageReader.java:1173)
at java.desktop/com.sun.imageio.plugins.jpeg.JPEGImageReader.read(JPEGImageReader.java:1153)
at java.desktop/javax.imageio.ImageIO.read(ImageIO.java:1468)
at java.desktop/javax.imageio.ImageIO.read(ImageIO.java:1363)
at JpegReaderOOBIssue.main(JpegReaderOOBIssue.java:25)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.io.ByteArrayInputStream;
import java.io.InputStream;
import java.util.Base64;
import javax.imageio.ImageIO;
public class JpegReaderOOBIssue {
// JPEG image test case (encoded as base64)
private static String inputImageBase64 = "/9j/4IAQSkZJRgABAQEASABIAAD" +
"/2wBDAFA3PEY8MlBGQUZaVVBfeMiCeG5uePWvuZHI///////////////////////////" +
"/////////////////////////2wBDAVVaWnhpeOuCguv////////////////////////" +
"/////////////////////////////////////////////////wAARCAAgACADASIAAhE" +
"BAxEB/8QAFwAAAwEAAAAAAAAAAAAAAAAAAAECA//EACUQAQACAAUDBAMAAAAAAAAAAAE" +
"AAhESITGxQXKSA2Fi0SIyUf/EABYBAQEBAAAAAAAAAAAAAAAAAAABA//EABcRAQEBAQA" +
"AAAAAAAAAAAAAAAEAESH/2gAMAwEAAhEDEQA/ANf2VW2OKaWTqnRhl97eb9wrs91uWPE" +
"BUX+EtmrssvvbzfuJWjVG2tg1svLLtgJ0Uxwmd96d5zE7tVdnutyxm5JVoo0u6rpXHdW" +
"LP8PU8WIjtRuvVZN96d5zDP8AD1PFhre1Apc/Ida4RAdv/9k=";
public static void main(String[] args) throws java.io.IOException {
// Convert test case into input stream
byte[] inputBytes = Base64.getDecoder().decode(inputImageBase64);
InputStream in = new ByteArrayInputStream(inputBytes);
// Attempt to read JPEG
ImageIO.read(in); // Throws IndexOutOfBoundsException!
}
}
---------- END SOURCE ----------
openjdk version "9.0.1"
OpenJDK Runtime Environment (build 9.0.1+11)
OpenJDK 64-Bit Server VM (build 9.0.1+11, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Ubuntu Linux 64-bit
A DESCRIPTION OF THE PROBLEM :
The ImageReader com.sun.imageio.plugins.jpeg.JPEGImageReader throws an IndexOutOfBoundsException in calls from method checkTablesOnly() when reading a malformed JPEG file whose header indicates that it is tables-only. This happens when attempting to flush the image input stream up to the last image, but when the length of the list `imagePositions` is zero. This exception is not documented in the API call to ImageIO.read() or ImageReader.read(); instead, the reader should throw an IOException indicating that the image input stream is malformed.
This bug was found using AFL.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Compile and run the test program attached below.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
An IOException should be thrown (specifically, a javax.imagio.IIOException).
ACTUAL -
A java.lang.IndexOutOfBoundsException is thrown (on JDK 8 and below, an ArrayIndexOutOfBoundsException is thrown).
ERROR MESSAGES/STACK TRACES THAT OCCUR :
at java.base/jdk.internal.util.Preconditions.outOfBounds(Preconditions.java:64)
at java.base/jdk.internal.util.Preconditions.outOfBoundsCheckIndex(Preconditions.java:70)
at java.base/jdk.internal.util.Preconditions.checkIndex(Preconditions.java:248)
at java.base/java.util.Objects.checkIndex(Objects.java:372)
at java.base/java.util.ArrayList.get(ArrayList.java:440)
at java.desktop/com.sun.imageio.plugins.jpeg.JPEGImageReader.checkTablesOnly(JPEGImageReader.java:378)
at java.desktop/com.sun.imageio.plugins.jpeg.JPEGImageReader.gotoImage(JPEGImageReader.java:493)
at java.desktop/com.sun.imageio.plugins.jpeg.JPEGImageReader.readHeader(JPEGImageReader.java:716)
at java.desktop/com.sun.imageio.plugins.jpeg.JPEGImageReader.readInternal(JPEGImageReader.java:1173)
at java.desktop/com.sun.imageio.plugins.jpeg.JPEGImageReader.read(JPEGImageReader.java:1153)
at java.desktop/javax.imageio.ImageIO.read(ImageIO.java:1468)
at java.desktop/javax.imageio.ImageIO.read(ImageIO.java:1363)
at JpegReaderOOBIssue.main(JpegReaderOOBIssue.java:25)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.io.ByteArrayInputStream;
import java.io.InputStream;
import java.util.Base64;
import javax.imageio.ImageIO;
public class JpegReaderOOBIssue {
// JPEG image test case (encoded as base64)
private static String inputImageBase64 = "/9j/4IAQSkZJRgABAQEASABIAAD" +
"/2wBDAFA3PEY8MlBGQUZaVVBfeMiCeG5uePWvuZHI///////////////////////////" +
"/////////////////////////2wBDAVVaWnhpeOuCguv////////////////////////" +
"/////////////////////////////////////////////////wAARCAAgACADASIAAhE" +
"BAxEB/8QAFwAAAwEAAAAAAAAAAAAAAAAAAAECA//EACUQAQACAAUDBAMAAAAAAAAAAAE" +
"AAhESITGxQXKSA2Fi0SIyUf/EABYBAQEBAAAAAAAAAAAAAAAAAAABA//EABcRAQEBAQA" +
"AAAAAAAAAAAAAAAEAESH/2gAMAwEAAhEDEQA/ANf2VW2OKaWTqnRhl97eb9wrs91uWPE" +
"BUX+EtmrssvvbzfuJWjVG2tg1svLLtgJ0Uxwmd96d5zE7tVdnutyxm5JVoo0u6rpXHdW" +
"LP8PU8WIjtRuvVZN96d5zDP8AD1PFhre1Apc/Ida4RAdv/9k=";
public static void main(String[] args) throws java.io.IOException {
// Convert test case into input stream
byte[] inputBytes = Base64.getDecoder().decode(inputImageBase64);
InputStream in = new ByteArrayInputStream(inputBytes);
// Attempt to read JPEG
ImageIO.read(in); // Throws IndexOutOfBoundsException!
}
}
---------- END SOURCE ----------
- backported by
-
JDK-8227794 JpegImageReader throws IndexOutOfBoundsException when trying to read image data from tables-only image
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
- duplicates
-
-
- Closed
-
-
-
- Closed
-
- links to
(1 links to)