On Tue, 20 Jul 2021 06:25:22 GMT, Jayathirth D V <j...@openjdk.org> wrote:
> We are incorrectly passing source offset to ImageInputStream.readFully() > which is getting used on destination buffer. streamPos maintained in each > implementation of stream maintain's appropriate source offset while reading > the data. Since we are completely utilizing destination buffer any offset > greater than 0 would cause IOOBE. In our case we should use 0 as offset value. > > Also to hit this code we need stream/file with at-least 1MB of IFD data, > that's why there is no regression test. This change can be verified using > image attached in JBS. All test run is green. I went through TIFF spec and image provided in the bug to understand whether we can find a way to pass similar data to reproduce the issue. The image attached in JBS has ICCProfile as one of the TIFFTag(This is considered as UNDEFINED tag by our standard reader) and its count is more than 1024000. And for this ICCProfile tag corresponding data is also present in the stream, it is not some corrupt header scenario where we can just write bad data in header and hit the issue. We divide the tag data in chunks on 1024000 bytes, when we are done reading first chunk of ICCProfile data and start reading the second chunk we hit this issue. So to add regression test for this scenario we need more than 1024000 bytes of data in one of the TIFFTag type where the present change is done. We will not be able to pass that amount of data in byteArray stream. Also if we want to pass raw data as part of a TIFFTag i need relevant TIFFtag data like ICCProfile in the image attached in JBS. So i am leaving discussion open so that others can give inputs on ways we can put relevant data into our TIFFImageWriter to hit this issue. ------------- PR: https://git.openjdk.java.net/jdk/pull/4836
