[GitHub] [commons-imaging] kinow commented on a change in pull request #72: IMAGING-251 support for TIFF floating-point formats

Fri, 08 May 2020 06:32:26 -0700 


kinow commented on a change in pull request #72:
URL: https://github.com/apache/commons-imaging/pull/72#discussion_r422086650



##########
File path: 
src/main/java/org/apache/commons/imaging/formats/tiff/datareaders/DataReaderStrips.java
##########
@@ -285,4 +324,57 @@ public BufferedImage readImageData(final Rectangle 
subImage)
                 subImage.height);
     }
 
+    @Override
+    public TiffRasterData readRasterData(Rectangle subImage)
+        throws ImageReadException, IOException {
+
+        int xRaster;
+        int yRaster;
+        int rasterWidth;
+        int rasterHeight;
+        if (subImage != null) {
+            xRaster = subImage.x;
+            yRaster = subImage.y;
+            rasterWidth = subImage.width;
+            rasterHeight = subImage.height;
+        } else {
+            xRaster = 0;
+            yRaster = 0;
+            rasterWidth = width;
+            rasterHeight = height;
+        }
+        float[] rasterData = new float[rasterWidth * rasterHeight];
+
+        // the legacy code is optimized to the reading of whole
+        // strips (except for the last strip in the image, which can
+        // be a partial).  So create a working image with compatible
+        // dimensions and read that.  Later on, the working image
+        // will be sub-imaged to the proper size.
+        // strip0 and strip1 give the indices of the strips containing
+        // the first and last rows of pixels in the subimage
+        final int strip0 = yRaster / rowsPerStrip;

Review comment:
       Any chance—even if remote—that `rowsPerStrip` could be zero?
   
   One of the reasons why 1.0-alpha1 took so long (couple years after the work 
started?) was largely due to CVE's created for sanselan.
   
   One of the CVE, if I am not mistaken, was about a division by zero (or 
another sort of arithmetic error?), that caused an exception and some infinite 
loop or large memory allocation (allowing users to perform DDOS).
   
   If it's never zero, then no need to worry. Otherwise, if there's any risk, 
better set a quick validation somewhere (here or constructor).




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to