This is an automated email from the ASF dual-hosted git repository.
kinow pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-imaging.git
The following commit(s) were added to refs/heads/master by this push:
new 9b1c46e IMAGING-325: Throw error if the color palette length is
negative
9b1c46e is described below
commit 9b1c46ea51e70d4d30040014d930cf19200f6660
Author: Bruno P. Kinoshita <ki...@apache.org>
AuthorDate: Sat Jan 22 23:34:30 2022 +1300
IMAGING-325: Throw error if the color palette length is negative
---
src/changes/changes.xml | 4 ++++
.../apache/commons/imaging/formats/bmp/BmpImageParser.java | 4 ++++
.../apache/commons/imaging/formats/bmp/BmpReadTest.java | 9 +++++++++
.../crash-3afb569de74522535ef65922233e1920455cdc14.bmp | Bin 0 -> 74 bytes
4 files changed, 17 insertions(+)
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index 95a90b0..313921a 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -45,6 +45,10 @@ The <action> type attribute can be add,update,fix,remove.
</properties>
<body>
<release version="1.0-alpha3" date="2022-??-??" description="Third 1.0
alpha release">
+ <action issue="IMAGING-325" dev="kinow" type="fix" due-to="Jin Wang">
+ Prevent OutOfMemoryError in BmpImageParser. This can happen when the
color palette length is
+ a large negative number.
+ </action>
<action issue="IMAGING-320" dev="kinow" type="fix" due-to="Gary Lucas">
Read TIFFs with 32-bit samples.
</action>
diff --git
a/src/main/java/org/apache/commons/imaging/formats/bmp/BmpImageParser.java
b/src/main/java/org/apache/commons/imaging/formats/bmp/BmpImageParser.java
index 003dd97..ea956e5 100644
--- a/src/main/java/org/apache/commons/imaging/formats/bmp/BmpImageParser.java
+++ b/src/main/java/org/apache/commons/imaging/formats/bmp/BmpImageParser.java
@@ -385,6 +385,10 @@ public class BmpImageParser extends
ImageParser<BmpImagingParameters> {
+ bhi.compression);
}
+ if (paletteLength < 0) {
+ throw new ImageReadException("BMP: Invalid negative palette
length: " + paletteLength);
+ }
+
byte[] colorTable = null;
if (paletteLength > 0) {
colorTable = readBytes("ColorTable", is, paletteLength,
diff --git
a/src/test/java/org/apache/commons/imaging/formats/bmp/BmpReadTest.java
b/src/test/java/org/apache/commons/imaging/formats/bmp/BmpReadTest.java
index 7e31907..6b30bd8 100644
--- a/src/test/java/org/apache/commons/imaging/formats/bmp/BmpReadTest.java
+++ b/src/test/java/org/apache/commons/imaging/formats/bmp/BmpReadTest.java
@@ -17,6 +17,7 @@
package org.apache.commons.imaging.formats.bmp;
import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
import java.awt.image.BufferedImage;
import java.io.File;
@@ -76,4 +77,12 @@ public class BmpReadTest extends BmpBaseTest {
"/bmp/5/@broken/timeout-bd15dbfa26b4e88070de540c6603039e8a88626f");
new BmpImageParser().dumpImageFile(new ByteSourceFile(inputFile));
}
+
+ @Test
+ public void testNegativePaletteLength() throws ImageReadException,
IOException {
+ final String input =
"/images/bmp/IMAGING-325/crash-3afb569de74522535ef65922233e1920455cdc14.bmp";
+ final String location = BmpReadTest.class.getResource(input).getFile();
+ final File inputFile = new File(location);
+ assertThrows(ImageReadException.class, () -> new
BmpImageParser().dumpImageFile(new ByteSourceFile(inputFile)));
+ }
}
diff --git
a/src/test/resources/images/bmp/IMAGING-325/crash-3afb569de74522535ef65922233e1920455cdc14.bmp
b/src/test/resources/images/bmp/IMAGING-325/crash-3afb569de74522535ef65922233e1920455cdc14.bmp
new file mode 100644
index 0000000..479105a
Binary files /dev/null and
b/src/test/resources/images/bmp/IMAGING-325/crash-3afb569de74522535ef65922233e1920455cdc14.bmp
differ
