P4
To reproduce, run the following example:
---------------------------------------------------------------------
import javafx.scene.image.WritableImage;
public class ImageIAETest {
public static void main(String[] args) {
// The following is expected to throw an exception
new WritableImage(12345, 54321);
}
}
---------------------------------------------------------------------
$ java ImageIAETest
Exception in thread "main" java.lang.IllegalArgumentException: capacity < 0: (-1612596316 < 0)
at java.base/java.nio.Buffer.createCapacityException(Buffer.java:289)
at java.base/java.nio.ByteBuffer.allocate(ByteBuffer.java:397)
at javafx.graphics@26-internal/com.sun.javafx.tk.quantum.QuantumToolkit.createPlatformImage(QuantumToolkit.java:1471)
at javafx.graphics@26-internal/javafx.scene.image.Image.<init>(Image.java:747)
at javafx.graphics@26-internal/javafx.scene.image.WritableImage.<init>(WritableImage.java:77)
at ImageIAETest.main(ImageIAETest.java:6)
If both w and h are positive, it will ultimately create a buffer of size `width*height*4` without first checking for overflow. This can lead to a misleading exception message, if w*h*4 wraps around to a negative value as it does in the above example, or a failure when the image is accessed (likely with an even more misleading message) if `w*h*4` wraps around to a positive, but too small, value.
javafx.scene.image.Image has several other constructors that take a width and height argument, so they should be examined, too.
---------------------------------------------------------------------
import javafx.scene.image.WritableImage;
public class ImageIAETest {
public static void main(String[] args) {
// The following is expected to throw an exception
new WritableImage(12345, 54321);
}
}
---------------------------------------------------------------------
$ java ImageIAETest
Exception in thread "main" java.lang.IllegalArgumentException: capacity < 0: (-1612596316 < 0)
at java.base/java.nio.Buffer.createCapacityException(Buffer.java:289)
at java.base/java.nio.ByteBuffer.allocate(ByteBuffer.java:397)
at javafx.graphics@26-internal/com.sun.javafx.tk.quantum.QuantumToolkit.createPlatformImage(QuantumToolkit.java:1471)
at javafx.graphics@26-internal/javafx.scene.image.Image.<init>(Image.java:747)
at javafx.graphics@26-internal/javafx.scene.image.WritableImage.<init>(WritableImage.java:77)
at ImageIAETest.main(ImageIAETest.java:6)
If both w and h are positive, it will ultimately create a buffer of size `width*height*4` without first checking for overflow. This can lead to a misleading exception message, if w*h*4 wraps around to a negative value as it does in the above example, or a failure when the image is accessed (likely with an even more misleading message) if `w*h*4` wraps around to a positive, but too small, value.
javafx.scene.image.Image has several other constructors that take a width and height argument, so they should be examined, too.