[jira] [Commented] (XGC-149) Apache Batik-Codec implicated by CVE-2026-24806, CVE-2026-24807

Joshua Marquart (Jira) Mon, 06 Apr 2026 06:42:47 -0700


    [ 
https://issues.apache.org/jira/browse/XGC-149?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18071440#comment-18071440
 ]


Joshua Marquart commented on XGC-149:
-------------------------------------

I searched the batik codebase for similar areas for method signature

{code:java}
public void write(byte[] b, int off, int len)` and located 4:  
{code}

Found
* 2 in PNGImageEncoder
* 1 in SeekableOutputStream
* 1 in batik-transcoder JPEGTranscoder (I placed it after the os null check 
which returns)

For all 4, I added this defensive code section:

{code:java}
        if (b == null) throw new NullPointerException();
        if (off < 0 || len < 0 || len > b.length - off) throw new 
IndexOutOfBoundsException();
{code}

Attached as a patch.

> Apache Batik-Codec implicated by CVE-2026-24806, CVE-2026-24807
> ---------------------------------------------------------------
>
>                 Key: XGC-149
>                 URL: https://issues.apache.org/jira/browse/XGC-149
>             Project: XMLGraphicsCommons
>          Issue Type: Bug
>          Components: image writer
>    Affects Versions: 2.11
>            Reporter: Joshua Marquart
>            Priority: Trivial
>         Attachments: 
> Added_defensive_input_validation_to_write_at_offset_for_length.patch
>
>
> According to the National Vulnerability Database CVE-2026-24806, 
> CVE-2026-24807 applies to batik-codec
> https://nvd.nist.gov/vuln/detail/CVE-2026-24806
> https://nvd.nist.gov/vuln/detail/CVE-2026-24807
> https://www.sentinelone.com/vulnerability-database/cve-2026-24806/
> This was identified in the quick-media fork of batik-codec and was due to 
> Input validation missing from the `public void write(byte[] b, int off, int 
> len) throws IOException` methods of 
> `org.apache.batik.ext.awt.image.codec.png.PNGImageEncoder.java`  at line 91 
> and `org.apache.batik.ext.awt.image.codec.util.SeekableOutputStream.java`  at 
> line 61 
> ```
> // Input validation
> if (b == null) {
>     throw new NullPointerException();
> }
>    
> if (off < 0 || len < 0 || len > b.length || off > b.length - len) {
>     throw new ArrayIndexOutOfBoundsException();
> }
> ```
> Similar input validation does not exist in the apache batik-codec 1.19 source 
> download.
> This is causing components to be flagged with Medium vulnerability in 
> Sonatype Lifecycle.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Commented] (XGC-149) Apache Batik-Codec implicated by CVE-2026-24806, CVE-2026-24807

Reply via email to