-
Bug
-
Resolution: Duplicate
-
P3
-
8, 9, 10
-
x86_64
-
generic
FULL PRODUCT VERSION :
- OpenJDK Runtime Environment (build 9.0.1+11)
- Java(TM) SE Runtime Environment (build 10-ea+30)
ADDITIONAL OS VERSION INFORMATION :
Ubuntu Linux 64-bit
A DESCRIPTION OF THE PROBLEM :
The ImageReader com.sun.imageio.plugins.png.PNGImageReader throws a NegativeArraySizeException when attempting to read malformed PNG image files with zTXt sections containing keywords where a terminating null byte is not found within the length of the zTXt chunk.
This bug was found using AFL + JQF.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Compile and run the test program attached below. Note: This issue only arises when the ImageReader's "readMetaData" is set to "true".
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
An IOException should be thrown (e.g. javax.imagio.IIOException).
ACTUAL -
A java.lang.NegativeArraySizeException is thrown.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Exception in thread "main" java.lang.NegativeArraySizeException
at java.desktop/com.sun.imageio.plugins.png.PNGImageReader.parse_zTXt_chunk(PNGImageReader.java:660)
at java.desktop/com.sun.imageio.plugins.png.PNGImageReader.readMetadata(PNGImageReader.java:817)
at java.desktop/com.sun.imageio.plugins.png.PNGImageReader.readImage(PNGImageReader.java:1310)
at java.desktop/com.sun.imageio.plugins.png.PNGImageReader.read(PNGImageReader.java:1674)
at java.desktop/javax.imageio.ImageReader.read(ImageReader.java:938)
at PngReaderZtxtChunkSizeIssue.main(PngReaderZtxtChunkSizeIssue.java:26
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.io.ByteArrayInputStream;
import java.io.InputStream;
import java.util.Base64;
import javax.imageio.ImageIO;
import javax.imageio.ImageReader;
import javax.imageio.stream.ImageInputStream;
public class PngReaderZtxtChunkSizeIssue {
// PNG image test case (encoded as base64)
private static String inputImageBase64 = "iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCA" +
"AAAAA6fptVAAAABHpUWHRhYWFhYWFhYQAAAApJREFUGFdj+A8AAQEBAFpNb/EAAAAASUVORK5CYIIK";
public static void main(String[] args) throws java.io.IOException {
// Convert test case into input stream
byte[] inputBytes = Base64.getDecoder().decode(inputImageBase64);
InputStream in = new ByteArrayInputStream(inputBytes);
// Make sure we are testing PNGImageReader
ImageReader reader = ImageIO.getImageReadersByFormatName("png").next();
assert reader.getClass().getName().equals("com.sun.imageio.plugins.png.PNGImageReader");
// Set input and mark ignoreMetadata = false
reader.setInput(ImageIO.createImageInputStream(in), true, false);
reader.read(0); // Throws java.lang.NegativeArraySizeException!
reader.dispose();
}
}
---------- END SOURCE ----------
- OpenJDK Runtime Environment (build 9.0.1+11)
- Java(TM) SE Runtime Environment (build 10-ea+30)
ADDITIONAL OS VERSION INFORMATION :
Ubuntu Linux 64-bit
A DESCRIPTION OF THE PROBLEM :
The ImageReader com.sun.imageio.plugins.png.PNGImageReader throws a NegativeArraySizeException when attempting to read malformed PNG image files with zTXt sections containing keywords where a terminating null byte is not found within the length of the zTXt chunk.
This bug was found using AFL + JQF.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Compile and run the test program attached below. Note: This issue only arises when the ImageReader's "readMetaData" is set to "true".
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
An IOException should be thrown (e.g. javax.imagio.IIOException).
ACTUAL -
A java.lang.NegativeArraySizeException is thrown.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Exception in thread "main" java.lang.NegativeArraySizeException
at java.desktop/com.sun.imageio.plugins.png.PNGImageReader.parse_zTXt_chunk(PNGImageReader.java:660)
at java.desktop/com.sun.imageio.plugins.png.PNGImageReader.readMetadata(PNGImageReader.java:817)
at java.desktop/com.sun.imageio.plugins.png.PNGImageReader.readImage(PNGImageReader.java:1310)
at java.desktop/com.sun.imageio.plugins.png.PNGImageReader.read(PNGImageReader.java:1674)
at java.desktop/javax.imageio.ImageReader.read(ImageReader.java:938)
at PngReaderZtxtChunkSizeIssue.main(PngReaderZtxtChunkSizeIssue.java:26
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.io.ByteArrayInputStream;
import java.io.InputStream;
import java.util.Base64;
import javax.imageio.ImageIO;
import javax.imageio.ImageReader;
import javax.imageio.stream.ImageInputStream;
public class PngReaderZtxtChunkSizeIssue {
// PNG image test case (encoded as base64)
private static String inputImageBase64 = "iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCA" +
"AAAAA6fptVAAAABHpUWHRhYWFhYWFhYQAAAApJREFUGFdj+A8AAQEBAFpNb/EAAAAASUVORK5CYIIK";
public static void main(String[] args) throws java.io.IOException {
// Convert test case into input stream
byte[] inputBytes = Base64.getDecoder().decode(inputImageBase64);
InputStream in = new ByteArrayInputStream(inputBytes);
// Make sure we are testing PNGImageReader
ImageReader reader = ImageIO.getImageReadersByFormatName("png").next();
assert reader.getClass().getName().equals("com.sun.imageio.plugins.png.PNGImageReader");
// Set input and mark ignoreMetadata = false
reader.setInput(ImageIO.createImageInputStream(in), true, false);
reader.read(0); // Throws java.lang.NegativeArraySizeException!
reader.dispose();
}
}
---------- END SOURCE ----------
- duplicates
-
-
- Resolved
-