[jira] [Commented] (COMPRESS-569) OutOfMemoryError on a crafted tar file
[ https://issues.apache.org/jira/browse/COMPRESS-569?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17296664#comment-17296664 ] Fabian Meumertzheim commented on COMPRESS-569: -- [~bodewig] Yes, feel free to use the archive and reproducer under any license you want. I will let the fuzzer run on the fixed version (https://github.com/apache/commons-compress/commit/8543b030e93fa71b6093ac7d4cdb8c4e98bfd63d) and report back if I should get any more findings. > OutOfMemoryError on a crafted tar file > -- > > Key: COMPRESS-569 > URL: https://issues.apache.org/jira/browse/COMPRESS-569 > Project: Commons Compress > Issue Type: Bug >Affects Versions: 1.21 >Reporter: Fabian Meumertzheim >Priority: Blocker > Attachments: TarFileTimeout.java, timeout.tar > > > Apache Commons Compress at commit > https://github.com/apache/commons-compress/commit/1b7528fbd6295a3958daf1b1114621ee5e40e83c > throws an OutOfMemoryError after consuming ~5 minutes of CPU on my > machine on a crafted tar archive that is less than a KiB in size: > Exception in thread "main" java.lang.OutOfMemoryError: Java heap space > at java.base/sun.nio.cs.UTF_8.newDecoder(UTF_8.java:70) > at > org.apache.commons.compress.archivers.zip.NioZipEncoding.newDecoder(NioZipEncoding.java:182) > at > org.apache.commons.compress.archivers.zip.NioZipEncoding.decode(NioZipEncoding.java:135) > at > org.apache.commons.compress.archivers.tar.TarUtils.parseName(TarUtils.java:311) > at > org.apache.commons.compress.archivers.tar.TarUtils.parseName(TarUtils.java:275) > at > org.apache.commons.compress.archivers.tar.TarArchiveEntry.parseTarHeader(TarArchiveEntry.java:1550) > at > org.apache.commons.compress.archivers.tar.TarArchiveEntry.(TarArchiveEntry.java:554) > at > org.apache.commons.compress.archivers.tar.TarArchiveEntry.(TarArchiveEntry.java:570) > at > org.apache.commons.compress.archivers.tar.TarFile.getNextTarEntry(TarFile.java:250) > at org.apache.commons.compress.archivers.tar.TarFile.(TarFile.java:211) > at org.apache.commons.compress.archivers.tar.TarFile.(TarFile.java:94) > at TarFileTimeout.main(TarFileTimeout.java:22) > I attached both the tar file and a Java reproducer for this issue. > Citing Stefan Bodewig's analysis of this issue: > Your archive contains an entry with a claimed size of -512 bytes. When > TarFile reads entries it tries to skip the content of th entry as it is > only interested in meta data on a first scan and does so by positioning > the input stream right after the data of the current entry. In this case > it positions it 512 bytes backwards right at the start of the current > entry's meta data again. This leads to an infinite loop that reads a new > entry, stores the meta data, repositions the stream and starts over > again. Over time the list of collected meta data eats up all available > memory. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (IMAGING-279) Array sizes not checked for overflow in BmpImageParser
[ https://issues.apache.org/jira/browse/IMAGING-279?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Fabian Meumertzheim updated IMAGING-279: Attachment: negative_array_size_exception.bmp > Array sizes not checked for overflow in BmpImageParser > -- > > Key: IMAGING-279 > URL: https://issues.apache.org/jira/browse/IMAGING-279 > Project: Commons Imaging > Issue Type: Bug > Components: Format: BMP >Affects Versions: 1.0-alpha2 >Reporter: Fabian Meumertzheim >Assignee: Bruno P. Kinoshita >Priority: Major > Fix For: 1.0-alpha3 > > Attachments: negative_array_size_exception.bmp > > Time Spent: 20m > Remaining Estimate: 0h > > In BmpImageParser.readImageContents, it is not verified that > [imageDataSize|https://gitbox.apache.org/repos/asf?p=commons-imaging.git;a=blob;f=src/main/java/org/apache/commons/imaging/formats/bmp/BmpImageParser.java;h=09d560011ebbde5ea8df65a30ea9692c2e697d17;hb=HEAD#l441] > does not overflow. If it does, BinaryFunctions.readBytes crashes with an > uncaught NegativeArraySizeException. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (IMAGING-279) Array sizes not checked for overflow in BmpImageParser
[ https://issues.apache.org/jira/browse/IMAGING-279?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17293563#comment-17293563 ] Fabian Meumertzheim commented on IMAGING-279: - The attached BMP gives me the following stack trace when loaded via new BmpImageParser().getBufferedImage(new ByteSourceArray(input), new HashMap<>()); java.lang.NegativeArraySizeException: -938762240 at org.apache.commons.imaging.common.BinaryFunctions.readBytes(BinaryFunctions.java:91) at org.apache.commons.imaging.formats.bmp.BmpImageParser.readImageContents(BmpImageParser.java:451) at org.apache.commons.imaging.formats.bmp.BmpImageParser.getBufferedImage(BmpImageParser.java:662) at org.apache.commons.imaging.formats.bmp.BmpImageParser.getBufferedImage(BmpImageParser.java:643) !negative_array_size_exception.bmp! > Array sizes not checked for overflow in BmpImageParser > -- > > Key: IMAGING-279 > URL: https://issues.apache.org/jira/browse/IMAGING-279 > Project: Commons Imaging > Issue Type: Bug > Components: Format: BMP >Affects Versions: 1.0-alpha2 >Reporter: Fabian Meumertzheim >Assignee: Bruno P. Kinoshita >Priority: Major > Fix For: 1.0-alpha3 > > Attachments: negative_array_size_exception.bmp > > Time Spent: 20m > Remaining Estimate: 0h > > In BmpImageParser.readImageContents, it is not verified that > [imageDataSize|https://gitbox.apache.org/repos/asf?p=commons-imaging.git;a=blob;f=src/main/java/org/apache/commons/imaging/formats/bmp/BmpImageParser.java;h=09d560011ebbde5ea8df65a30ea9692c2e697d17;hb=HEAD#l441] > does not overflow. If it does, BinaryFunctions.readBytes crashes with an > uncaught NegativeArraySizeException. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (IMAGING-279) Array sizes not checked for overflow in BmpImageParser
[ https://issues.apache.org/jira/browse/IMAGING-279?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Fabian Meumertzheim updated IMAGING-279: Description: In BmpImageParser.readImageContents, it is not verified that [imageDataSize|https://gitbox.apache.org/repos/asf?p=commons-imaging.git;a=blob;f=src/main/java/org/apache/commons/imaging/formats/bmp/BmpImageParser.java;h=09d560011ebbde5ea8df65a30ea9692c2e697d17;hb=HEAD#l441] does not overflow. If it does, BinaryFunctions.readBytes crashes with an uncaught NegativeArraySizeException. (was: In BmpImageParser.readImageContents, there is no check that [imageDataSize|https://gitbox.apache.org/repos/asf?p=commons-imaging.git;a=blob;f=src/main/java/org/apache/commons/imaging/formats/bmp/BmpImageParser.java;h=09d560011ebbde5ea8df65a30ea9692c2e697d17;hb=HEAD#l441] does not overflow. If it does, BinaryFunctions.readBytes crashes with an uncaught NegativeArraySizeException.) > Array sizes not checked for overflow in BmpImageParser > -- > > Key: IMAGING-279 > URL: https://issues.apache.org/jira/browse/IMAGING-279 > Project: Commons Imaging > Issue Type: Bug > Components: Format: BMP >Affects Versions: 1.0-alpha2 >Reporter: Fabian Meumertzheim >Priority: Major > > In BmpImageParser.readImageContents, it is not verified that > [imageDataSize|https://gitbox.apache.org/repos/asf?p=commons-imaging.git;a=blob;f=src/main/java/org/apache/commons/imaging/formats/bmp/BmpImageParser.java;h=09d560011ebbde5ea8df65a30ea9692c2e697d17;hb=HEAD#l441] > does not overflow. If it does, BinaryFunctions.readBytes crashes with an > uncaught NegativeArraySizeException. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (COMPRESS-569) OutOfMemoryError on a crafted tar file
Fabian Meumertzheim created COMPRESS-569: Summary: OutOfMemoryError on a crafted tar file Key: COMPRESS-569 URL: https://issues.apache.org/jira/browse/COMPRESS-569 Project: Commons Compress Issue Type: Bug Affects Versions: 1.21 Reporter: Fabian Meumertzheim Attachments: TarFileTimeout.java, timeout.tar Apache Commons Compress at commit https://github.com/apache/commons-compress/commit/1b7528fbd6295a3958daf1b1114621ee5e40e83c throws an OutOfMemoryError after consuming ~5 minutes of CPU on my machine on a crafted tar archive that is less than a KiB in size: Exception in thread "main" java.lang.OutOfMemoryError: Java heap space at java.base/sun.nio.cs.UTF_8.newDecoder(UTF_8.java:70) at org.apache.commons.compress.archivers.zip.NioZipEncoding.newDecoder(NioZipEncoding.java:182) at org.apache.commons.compress.archivers.zip.NioZipEncoding.decode(NioZipEncoding.java:135) at org.apache.commons.compress.archivers.tar.TarUtils.parseName(TarUtils.java:311) at org.apache.commons.compress.archivers.tar.TarUtils.parseName(TarUtils.java:275) at org.apache.commons.compress.archivers.tar.TarArchiveEntry.parseTarHeader(TarArchiveEntry.java:1550) at org.apache.commons.compress.archivers.tar.TarArchiveEntry.(TarArchiveEntry.java:554) at org.apache.commons.compress.archivers.tar.TarArchiveEntry.(TarArchiveEntry.java:570) at org.apache.commons.compress.archivers.tar.TarFile.getNextTarEntry(TarFile.java:250) at org.apache.commons.compress.archivers.tar.TarFile.(TarFile.java:211) at org.apache.commons.compress.archivers.tar.TarFile.(TarFile.java:94) at TarFileTimeout.main(TarFileTimeout.java:22) I attached both the tar file and a Java reproducer for this issue. Citing Stefan Bodewig's analysis of this issue: Your archive contains an entry with a claimed size of -512 bytes. When TarFile reads entries it tries to skip the content of th entry as it is only interested in meta data on a first scan and does so by positioning the input stream right after the data of the current entry. In this case it positions it 512 bytes backwards right at the start of the current entry's meta data again. This leads to an infinite loop that reads a new entry, stores the meta data, repositions the stream and starts over again. Over time the list of collected meta data eats up all available memory. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (COMPRESS-567) IllegalArgumentException in ZipFile.positionAtCentralDirectory
[
https://issues.apache.org/jira/browse/COMPRESS-567?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17291490#comment-17291490
]
Fabian Meumertzheim commented on COMPRESS-567:
--
I found these bugs using https://github.com/CodeIntelligenceTesting/jazzer,
which provides you with both the raw crashing input and a Java reproducer with
the raw input encoded as Base64 for easier sharing (byte array literals are
cumbersome in Java and would need more characters).
> IllegalArgumentException in ZipFile.positionAtCentralDirectory
> --
>
> Key: COMPRESS-567
> URL: https://issues.apache.org/jira/browse/COMPRESS-567
> Project: Commons Compress
> Issue Type: Bug
>Affects Versions: 1.20
>Reporter: Fabian Meumertzheim
>Priority: Major
> Attachments: crash.zip
>
>
> The following snippet of code throws an undeclared IllegalArgumentException:
> {code:java}
> byte[] bytes = Base64.getDecoder().decode("UEsFBgAAAQD//1AAJP9QAA==");
> SeekableInMemoryByteChannel input = new SeekableInMemoryByteChannel(bytes);
> try {
> ZipFile file = new ZipFile(input);
> } catch (IOException ignored) {}
> {code}
> The stack trace is:
> {noformat}
> java.lang.IllegalArgumentException: Position has to be in range 0.. 2147483647
> at
> org.apache.commons.compress.utils.SeekableInMemoryByteChannel.position(SeekableInMemoryByteChannel.java:94)
> at
> org.apache.commons.compress.archivers.zip.ZipFile.positionAtCentralDirectory32(ZipFile.java:1128)
> at
> org.apache.commons.compress.archivers.zip.ZipFile.positionAtCentralDirectory(ZipFile.java:1037)
> at
> org.apache.commons.compress.archivers.zip.ZipFile.populateFromCentralDirectory(ZipFile.java:702)
> at
> org.apache.commons.compress.archivers.zip.ZipFile.(ZipFile.java:371)
> at
> org.apache.commons.compress.archivers.zip.ZipFile.(ZipFile.java:318)
> at
> org.apache.commons.compress.archivers.zip.ZipFile.(ZipFile.java:274)
> {noformat}
> I also attached the input as a ZIP file.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (COMPRESS-568) NullPointerException in X5455_ExtendedTimestamp.getLocalFileDataData
[
https://issues.apache.org/jira/browse/COMPRESS-568?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17290883#comment-17290883
]
Fabian Meumertzheim commented on COMPRESS-568:
--
Sorry, I should have tested with current HEAD as well. I also can't reproduce
this on
https://github.com/apache/commons-compress/commit/1b7528fbd6295a3958daf1b1114621ee5e40e83c
> NullPointerException in X5455_ExtendedTimestamp.getLocalFileDataData
>
>
> Key: COMPRESS-568
> URL: https://issues.apache.org/jira/browse/COMPRESS-568
> Project: Commons Compress
> Issue Type: Bug
>Affects Versions: 1.20
>Reporter: Fabian Meumertzheim
>Priority: Major
> Attachments: npe.zip
>
>
> The following snippet of code throws an undeclared NullPointerException:
> {code:java}
> byte[] bytes =
> base64.getDecoder().decode("UEsDBAoACQAAAGu0ukYdiHewEwcDABwAYWFhVVQDAAn5ygAAUEsFBgAC/0IABQAAUEsBAh4DCgAJAP8ABbS6RgAAIAAHAAABAABQSwUGAP///wU=");
>
> SeekableInMemoryByteChannel input = new SeekableInMemoryByteChannel(bytes);
> try { ZipFile file = new ZipFile(input); } catch (IOException ignored) {}
> {code}
> The stack trace is:
> {noformat}
> java.lang.NullPointerException: Cannot invoke
> "org.apache.commons.compress.archivers.zip.ZipLong.getBytes()" because
> "this.modifyTime" is null
> at
> org.apache.commons.compress.archivers.zip.X5455_ExtendedTimestamp.getLocalFileDataData(X5455_ExtendedTimestamp.java:180)
> at
> org.apache.commons.compress.archivers.zip.ExtraFieldUtils.mergeLocalFileDataData(ExtraFieldUtils.java:250)
> at
> org.apache.commons.compress.archivers.zip.ZipArchiveEntry.setExtra(ZipArchiveEntry.java:691)
> at
> org.apache.commons.compress.archivers.zip.ZipArchiveEntry.addExtraField(ZipArchiveEntry.java:573)
> at
> org.apache.commons.compress.archivers.zip.ZipArchiveEntry.mergeExtraFields(ZipArchiveEntry.java:903)
> at
> org.apache.commons.compress.archivers.zip.ZipArchiveEntry.setExtra(ZipArchiveEntry.java:676)
> at
> org.apache.commons.compress.archivers.zip.ZipFile.resolveLocalFileHeaderData(ZipFile.java:1237)
> at
> org.apache.commons.compress.archivers.zip.ZipFile.(ZipFile.java:373)
> at
> org.apache.commons.compress.archivers.zip.ZipFile.(ZipFile.java:318)
> at
> org.apache.commons.compress.archivers.zip.ZipFile.(ZipFile.java:274)
> {noformat}
> I also attached the input as a ZIP file.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (COMPRESS-567) IllegalArgumentException in ZipFile.positionAtCentralDirectory
[
https://issues.apache.org/jira/browse/COMPRESS-567?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17290882#comment-17290882
]
Fabian Meumertzheim commented on COMPRESS-567:
--
Yes, the ZIP is clearly invalid, but I would expect a (subclass of) IOException
here instead of an IllegalArgumentException.
> IllegalArgumentException in ZipFile.positionAtCentralDirectory
> --
>
> Key: COMPRESS-567
> URL: https://issues.apache.org/jira/browse/COMPRESS-567
> Project: Commons Compress
> Issue Type: Bug
>Affects Versions: 1.20
>Reporter: Fabian Meumertzheim
>Priority: Major
> Attachments: crash.zip
>
>
> The following snippet of code throws an undeclared IllegalArgumentException:
> {code:java}
> byte[] bytes = Base64.getDecoder().decode("UEsFBgAAAQD//1AAJP9QAA==");
> SeekableInMemoryByteChannel input = new SeekableInMemoryByteChannel(bytes);
> try {
> ZipFile file = new ZipFile(input);
> } catch (IOException ignored) {}
> {code}
> The stack trace is:
> {noformat}
> java.lang.IllegalArgumentException: Position has to be in range 0.. 2147483647
> at
> org.apache.commons.compress.utils.SeekableInMemoryByteChannel.position(SeekableInMemoryByteChannel.java:94)
> at
> org.apache.commons.compress.archivers.zip.ZipFile.positionAtCentralDirectory32(ZipFile.java:1128)
> at
> org.apache.commons.compress.archivers.zip.ZipFile.positionAtCentralDirectory(ZipFile.java:1037)
> at
> org.apache.commons.compress.archivers.zip.ZipFile.populateFromCentralDirectory(ZipFile.java:702)
> at
> org.apache.commons.compress.archivers.zip.ZipFile.(ZipFile.java:371)
> at
> org.apache.commons.compress.archivers.zip.ZipFile.(ZipFile.java:318)
> at
> org.apache.commons.compress.archivers.zip.ZipFile.(ZipFile.java:274)
> {noformat}
> I also attached the input as a ZIP file.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Created] (COMPRESS-568) NullPointerException in X5455_ExtendedTimestamp.getLocalFileDataData
Fabian Meumertzheim created COMPRESS-568:
Summary: NullPointerException in
X5455_ExtendedTimestamp.getLocalFileDataData
Key: COMPRESS-568
URL: https://issues.apache.org/jira/browse/COMPRESS-568
Project: Commons Compress
Issue Type: Bug
Affects Versions: 1.20
Reporter: Fabian Meumertzheim
Attachments: npe.zip
The following snippet of code throws an undeclared NullPointerException:
{code:java}
byte[] bytes =
base64.getDecoder().decode("UEsDBAoACQAAAGu0ukYdiHewEwcDABwAYWFhVVQDAAn5ygAAUEsFBgAC/0IABQAAUEsBAh4DCgAJAP8ABbS6RgAAIAAHAAABAABQSwUGAP///wU=");
SeekableInMemoryByteChannel input = new SeekableInMemoryByteChannel(bytes);
try { ZipFile file = new ZipFile(input); } catch (IOException ignored) {}
{code}
The stack trace is:
{noformat}
java.lang.NullPointerException: Cannot invoke
"org.apache.commons.compress.archivers.zip.ZipLong.getBytes()" because
"this.modifyTime" is null
at
org.apache.commons.compress.archivers.zip.X5455_ExtendedTimestamp.getLocalFileDataData(X5455_ExtendedTimestamp.java:180)
at
org.apache.commons.compress.archivers.zip.ExtraFieldUtils.mergeLocalFileDataData(ExtraFieldUtils.java:250)
at
org.apache.commons.compress.archivers.zip.ZipArchiveEntry.setExtra(ZipArchiveEntry.java:691)
at
org.apache.commons.compress.archivers.zip.ZipArchiveEntry.addExtraField(ZipArchiveEntry.java:573)
at
org.apache.commons.compress.archivers.zip.ZipArchiveEntry.mergeExtraFields(ZipArchiveEntry.java:903)
at
org.apache.commons.compress.archivers.zip.ZipArchiveEntry.setExtra(ZipArchiveEntry.java:676)
at
org.apache.commons.compress.archivers.zip.ZipFile.resolveLocalFileHeaderData(ZipFile.java:1237)
at
org.apache.commons.compress.archivers.zip.ZipFile.(ZipFile.java:373)
at
org.apache.commons.compress.archivers.zip.ZipFile.(ZipFile.java:318)
at
org.apache.commons.compress.archivers.zip.ZipFile.(ZipFile.java:274)
{noformat}
I also attached the input as a ZIP file.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Updated] (COMPRESS-567) IllegalArgumentException in ZipFile.positionAtCentralDirectory
[
https://issues.apache.org/jira/browse/COMPRESS-567?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Fabian Meumertzheim updated COMPRESS-567:
-
Description:
The following snippet of code throws an undeclared IllegalArgumentException:
{code:java}
byte[] bytes = Base64.getDecoder().decode("UEsFBgAAAQD//1AAJP9QAA==");
SeekableInMemoryByteChannel input = new SeekableInMemoryByteChannel(bytes);
try {
ZipFile file = new ZipFile(input);
} catch (IOException ignored) {}
{code}
The stack trace is:
{noformat}
java.lang.IllegalArgumentException: Position has to be in range 0.. 2147483647
at
org.apache.commons.compress.utils.SeekableInMemoryByteChannel.position(SeekableInMemoryByteChannel.java:94)
at
org.apache.commons.compress.archivers.zip.ZipFile.positionAtCentralDirectory32(ZipFile.java:1128)
at
org.apache.commons.compress.archivers.zip.ZipFile.positionAtCentralDirectory(ZipFile.java:1037)
at
org.apache.commons.compress.archivers.zip.ZipFile.populateFromCentralDirectory(ZipFile.java:702)
at
org.apache.commons.compress.archivers.zip.ZipFile.(ZipFile.java:371)
at
org.apache.commons.compress.archivers.zip.ZipFile.(ZipFile.java:318)
at
org.apache.commons.compress.archivers.zip.ZipFile.(ZipFile.java:274)
{noformat}
I also attached the input as a ZIP file.
was:
The following snippet of code throws an undeclared IllegalArgumentException:
{code:java}
byte[] bytes = Base64.getDecoder().decode("UEsFBgAAAQD//1AAJP9QAA==");
SeekableInMemoryByteChannel input = new SeekableInMemoryByteChannel(bytes);
try {
ZipFile file = new ZipFile(input);
} catch (IOException ignored) {}
{code}
The stack trace is:
{noformat}
java.lang.IllegalArgumentException: Position has to be in range 0.. 2147483647
at
org.apache.commons.compress.utils.SeekableInMemoryByteChannel.position(SeekableInMemoryByteChannel.java:94)
at
org.apache.commons.compress.archivers.zip.ZipFile.positionAtCentralDirectory32(ZipFile.java:1128)
at
org.apache.commons.compress.archivers.zip.ZipFile.positionAtCentralDirectory(ZipFile.java:1037)
at
org.apache.commons.compress.archivers.zip.ZipFile.populateFromCentralDirectory(ZipFile.java:702)
at
org.apache.commons.compress.archivers.zip.ZipFile.(ZipFile.java:371)
at
org.apache.commons.compress.archivers.zip.ZipFile.(ZipFile.java:318)
at
org.apache.commons.compress.archivers.zip.ZipFile.(ZipFile.java:274)
{noformat}
I also attached the input as a ZIP file.
> IllegalArgumentException in ZipFile.positionAtCentralDirectory
> --
>
> Key: COMPRESS-567
> URL: https://issues.apache.org/jira/browse/COMPRESS-567
> Project: Commons Compress
> Issue Type: Bug
>Affects Versions: 1.20
>Reporter: Fabian Meumertzheim
>Priority: Major
> Attachments: crash.zip
>
>
> The following snippet of code throws an undeclared IllegalArgumentException:
> {code:java}
> byte[] bytes = Base64.getDecoder().decode("UEsFBgAAAQD//1AAJP9QAA==");
> SeekableInMemoryByteChannel input = new SeekableInMemoryByteChannel(bytes);
> try {
> ZipFile file = new ZipFile(input);
> } catch (IOException ignored) {}
> {code}
> The stack trace is:
> {noformat}
> java.lang.IllegalArgumentException: Position has to be in range 0.. 2147483647
> at
> org.apache.commons.compress.utils.SeekableInMemoryByteChannel.position(SeekableInMemoryByteChannel.java:94)
> at
> org.apache.commons.compress.archivers.zip.ZipFile.positionAtCentralDirectory32(ZipFile.java:1128)
> at
> org.apache.commons.compress.archivers.zip.ZipFile.positionAtCentralDirectory(ZipFile.java:1037)
> at
> org.apache.commons.compress.archivers.zip.ZipFile.populateFromCentralDirectory(ZipFile.java:702)
> at
> org.apache.commons.compress.archivers.zip.ZipFile.(ZipFile.java:371)
> at
> org.apache.commons.compress.archivers.zip.ZipFile.(ZipFile.java:318)
> at
> org.apache.commons.compress.archivers.zip.ZipFile.(ZipFile.java:274)
> {noformat}
> I also attached the input as a ZIP file.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Created] (COMPRESS-567) IllegalArgumentException in ZipFile.positionAtCentralDirectory
Fabian Meumertzheim created COMPRESS-567:
Summary: IllegalArgumentException in
ZipFile.positionAtCentralDirectory
Key: COMPRESS-567
URL: https://issues.apache.org/jira/browse/COMPRESS-567
Project: Commons Compress
Issue Type: Bug
Affects Versions: 1.20
Reporter: Fabian Meumertzheim
Attachments: crash.zip
The following snippet of code throws an undeclared IllegalArgumentException:
{code:java}
byte[] bytes = Base64.getDecoder().decode("UEsFBgAAAQD//1AAJP9QAA==");
SeekableInMemoryByteChannel input = new SeekableInMemoryByteChannel(bytes);
try {
ZipFile file = new ZipFile(input);
} catch (IOException ignored) {}
{code}
The stack trace is:
{noformat}
java.lang.IllegalArgumentException: Position has to be in range 0.. 2147483647
at
org.apache.commons.compress.utils.SeekableInMemoryByteChannel.position(SeekableInMemoryByteChannel.java:94)
at
org.apache.commons.compress.archivers.zip.ZipFile.positionAtCentralDirectory32(ZipFile.java:1128)
at
org.apache.commons.compress.archivers.zip.ZipFile.positionAtCentralDirectory(ZipFile.java:1037)
at
org.apache.commons.compress.archivers.zip.ZipFile.populateFromCentralDirectory(ZipFile.java:702)
at
org.apache.commons.compress.archivers.zip.ZipFile.(ZipFile.java:371)
at
org.apache.commons.compress.archivers.zip.ZipFile.(ZipFile.java:318)
at
org.apache.commons.compress.archivers.zip.ZipFile.(ZipFile.java:274)
{noformat}
I also attached the input as a ZIP file.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Updated] (IMAGING-279) Array sizes not checked for overflow in BmpImageParser
[ https://issues.apache.org/jira/browse/IMAGING-279?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Fabian Meumertzheim updated IMAGING-279: Summary: Array sizes not checked for overflow in BmpImageParser (was: Array sizes not checked for overflow) > Array sizes not checked for overflow in BmpImageParser > -- > > Key: IMAGING-279 > URL: https://issues.apache.org/jira/browse/IMAGING-279 > Project: Commons Imaging > Issue Type: Bug > Components: Format: BMP >Affects Versions: 1.0-alpha2 >Reporter: Fabian Meumertzheim >Priority: Major > > In BmpParser.readImageContents, there is no check that > [imageDataSize|https://gitbox.apache.org/repos/asf?p=commons-imaging.git;a=blob;f=src/main/java/org/apache/commons/imaging/formats/bmp/BmpImageParser.java;h=09d560011ebbde5ea8df65a30ea9692c2e697d17;hb=HEAD#l441] > does not overflow. If it does, BinaryFunctions.readBytes crashes with an > uncaught NegativeArraySizeException. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (IMAGING-279) Array sizes not checked for overflow in BmpImageParser
[ https://issues.apache.org/jira/browse/IMAGING-279?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Fabian Meumertzheim updated IMAGING-279: Description: In BmpImageParser.readImageContents, there is no check that [imageDataSize|https://gitbox.apache.org/repos/asf?p=commons-imaging.git;a=blob;f=src/main/java/org/apache/commons/imaging/formats/bmp/BmpImageParser.java;h=09d560011ebbde5ea8df65a30ea9692c2e697d17;hb=HEAD#l441] does not overflow. If it does, BinaryFunctions.readBytes crashes with an uncaught NegativeArraySizeException. (was: In BmpParser.readImageContents, there is no check that [imageDataSize|https://gitbox.apache.org/repos/asf?p=commons-imaging.git;a=blob;f=src/main/java/org/apache/commons/imaging/formats/bmp/BmpImageParser.java;h=09d560011ebbde5ea8df65a30ea9692c2e697d17;hb=HEAD#l441] does not overflow. If it does, BinaryFunctions.readBytes crashes with an uncaught NegativeArraySizeException.) > Array sizes not checked for overflow in BmpImageParser > -- > > Key: IMAGING-279 > URL: https://issues.apache.org/jira/browse/IMAGING-279 > Project: Commons Imaging > Issue Type: Bug > Components: Format: BMP >Affects Versions: 1.0-alpha2 >Reporter: Fabian Meumertzheim >Priority: Major > > In BmpImageParser.readImageContents, there is no check that > [imageDataSize|https://gitbox.apache.org/repos/asf?p=commons-imaging.git;a=blob;f=src/main/java/org/apache/commons/imaging/formats/bmp/BmpImageParser.java;h=09d560011ebbde5ea8df65a30ea9692c2e697d17;hb=HEAD#l441] > does not overflow. If it does, BinaryFunctions.readBytes crashes with an > uncaught NegativeArraySizeException. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (IMAGING-279) Array sizes not checked for overflow
Fabian Meumertzheim created IMAGING-279: --- Summary: Array sizes not checked for overflow Key: IMAGING-279 URL: https://issues.apache.org/jira/browse/IMAGING-279 Project: Commons Imaging Issue Type: Bug Components: Format: BMP Affects Versions: 1.0-alpha2 Reporter: Fabian Meumertzheim In BmpParser.readImageContents, there is no check that [imageDataSize|https://gitbox.apache.org/repos/asf?p=commons-imaging.git;a=blob;f=src/main/java/org/apache/commons/imaging/formats/bmp/BmpImageParser.java;h=09d560011ebbde5ea8df65a30ea9692c2e697d17;hb=HEAD#l441] does not overflow. If it does, BinaryFunctions.readBytes crashes with an uncaught NegativeArraySizeException. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (IMAGING-278) IllegalArgumentException in MyLzwDecompressor
Fabian Meumertzheim created IMAGING-278:
---
Summary: IllegalArgumentException in MyLzwDecompressor
Key: IMAGING-278
URL: https://issues.apache.org/jira/browse/IMAGING-278
Project: Commons Imaging
Issue Type: Bug
Components: Format: GIF
Affects Versions: 1.0-alpha2
Reporter: Fabian Meumertzheim
The following Java snippet crashes with an IllegalArgumentException:
{code:java}
import java.io.IOException;
import java.util.Base64;
import java.util.HashMap;
import org.apache.commons.imaging.ImageReadException;
import org.apache.commons.imaging.common.bytesource.ByteSourceArray;
import org.apache.commons.imaging.formats.gif.GifImageParser;
public class GifImageParserCrash2 {
public static byte[] btoa(String base64) {
return Base64.getDecoder().decode(base64);
}
public static void main(String[] args) {
byte[] input = btoa("AAAp/QIKACwAgAD4Kf///iIAAA==");
try {
new GifImageParser().getBufferedImage(new ByteSourceArray(input),
new HashMap<>());
} catch (IOException | ImageReadException e) {}
}
}
{code}
The stack trace is:
{noformat}
Exception in thread "main" java.lang.IllegalArgumentException: Negative initial
size: -30877737
at
java.base/java.io.ByteArrayOutputStream.(ByteArrayOutputStream.java:78)
at
org.apache.commons.imaging.common.mylzw.MyLzwDecompressor.decompress(MyLzwDecompressor.java:144)
at
org.apache.commons.imaging.formats.gif.GifImageParser.readImageDescriptor(GifImageParser.java:397)
at
org.apache.commons.imaging.formats.gif.GifImageParser.readBlocks(GifImageParser.java:261)
at
org.apache.commons.imaging.formats.gif.GifImageParser.readFile(GifImageParser.java:475)
at
org.apache.commons.imaging.formats.gif.GifImageParser.readFile(GifImageParser.java:459)
at
org.apache.commons.imaging.formats.gif.GifImageParser.getBufferedImage(GifImageParser.java:840)
at GifImageParserCrash2.main(GifImageParserCrash2.java:17)
{noformat}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Created] (IMAGING-277) ArrayIndexOutOfBoundsException in MyLzwDecompressor
Fabian Meumertzheim created IMAGING-277:
---
Summary: ArrayIndexOutOfBoundsException in MyLzwDecompressor
Key: IMAGING-277
URL: https://issues.apache.org/jira/browse/IMAGING-277
Project: Commons Imaging
Issue Type: Bug
Components: Format: GIF
Affects Versions: 1.0-alpha2
Reporter: Fabian Meumertzheim
The following Java snippet crashes with an ArrayIndexOutOfBoundsException:
{code:java}
import java.io.IOException;
import java.util.Base64;
import java.util.HashMap;
import org.apache.commons.imaging.ImageReadException;
import org.apache.commons.imaging.common.bytesource.ByteSourceArray;
import org.apache.commons.imaging.formats.gif.GifImageParser;
public class GifImageParserCrash1 {
public static byte[] btoa(String base64) {
return Base64.getDecoder().decode(base64);
}
public static void main(String[] args) {
byte[] input = btoa("SQAACklJAPVPAAIKACy3LAACAP8JAAD4AA==");
try {
new GifImageParser().getBufferedImage(new ByteSourceArray(input),
new HashMap<>());
} catch (IOException | ImageReadException e) {}
}
}
{code}
The stack trace is:
{noformat}
Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: Index 4096
out of bounds for length 4096
at
org.apache.commons.imaging.common.mylzw.MyLzwDecompressor.initializeTable(MyLzwDecompressor.java:72)
at
org.apache.commons.imaging.common.mylzw.MyLzwDecompressor.(MyLzwDecompressor.java:63)
at
org.apache.commons.imaging.common.mylzw.MyLzwDecompressor.(MyLzwDecompressor.java:45)
at
org.apache.commons.imaging.formats.gif.GifImageParser.readImageDescriptor(GifImageParser.java:395)
at
org.apache.commons.imaging.formats.gif.GifImageParser.readBlocks(GifImageParser.java:261)
at
org.apache.commons.imaging.formats.gif.GifImageParser.readFile(GifImageParser.java:475)
at
org.apache.commons.imaging.formats.gif.GifImageParser.readFile(GifImageParser.java:459)
at
org.apache.commons.imaging.formats.gif.GifImageParser.getBufferedImage(GifImageParser.java:840)
at GifImageParserCrash1.main(GifImageParserCrash1.java:17)
{noformat}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Created] (IMAGING-276) ArrayIndexOutOfBoundsException in TiffDirectory
Fabian Meumertzheim created IMAGING-276:
---
Summary: ArrayIndexOutOfBoundsException in TiffDirectory
Key: IMAGING-276
URL: https://issues.apache.org/jira/browse/IMAGING-276
Project: Commons Imaging
Issue Type: Bug
Components: Format: TIFF
Affects Versions: 1.0-alpha2
Reporter: Fabian Meumertzheim
Attachments: TiffImageParserCrash.java
The following Java snippet crashes with an ArrayIndexOutOfBoundsException:
{code:java}
import java.io.IOException;
import java.util.Base64;
import java.util.HashMap;
import org.apache.commons.imaging.ImageReadException;
import org.apache.commons.imaging.common.bytesource.ByteSourceArray;
import org.apache.commons.imaging.formats.tiff.TiffImageParser;
public class TiffImageParserCrash {
public static byte[] btoa(String base64) {
return Base64.getDecoder().decode(base64);
}
public static void main(String[] args) {
byte[] input =
btoa("SUkqAAoCAgIAAQIIAADNAAICAgICCQ==");
try {
new TiffImageParser().getBufferedImage(new ByteSourceArray(input),
new HashMap<>());
} catch (IOException | ImageReadException e) {}
}
}
{code}
The stack trace is:
{noformat}
Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: Index 0
out of bounds for length 0
at
org.apache.commons.imaging.formats.tiff.TiffDirectory.getJpegRawImageDataElement(TiffDirectory.java:859)
at
org.apache.commons.imaging.formats.tiff.TiffReader.getJpegRawImageData(TiffReader.java:485)
at
org.apache.commons.imaging.formats.tiff.TiffReader.readDirectory(TiffReader.java:219)
at
org.apache.commons.imaging.formats.tiff.TiffReader.readDirectory(TiffReader.java:115)
at
org.apache.commons.imaging.formats.tiff.TiffReader.readDirectories(TiffReader.java:108)
at
org.apache.commons.imaging.formats.tiff.TiffReader.read(TiffReader.java:419)
at
org.apache.commons.imaging.formats.tiff.TiffReader.readFirstDirectory(TiffReader.java:382)
at
org.apache.commons.imaging.formats.tiff.TiffImageParser.getBufferedImage(TiffImageParser.java:465)
at TiffImageParserCrash.main(TiffImageParserCrash.java:17)
{noformat}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Created] (IMAGING-275) NegativeArraySizeException in SofnSegment
Fabian Meumertzheim created IMAGING-275:
---
Summary: NegativeArraySizeException in SofnSegment
Key: IMAGING-275
URL: https://issues.apache.org/jira/browse/IMAGING-275
Project: Commons Imaging
Issue Type: Bug
Components: Format: JPEG
Affects Versions: 1.0-alpha2
Reporter: Fabian Meumertzheim
Attachments: JpegImageParserCrash.java
The following Java snippet crashes with a NegativeArraySizeException:
{code:java}
import java.io.IOException;
import java.util.Base64;
import java.util.HashMap;
import org.apache.commons.imaging.ImageReadException;
import org.apache.commons.imaging.common.bytesource.ByteSourceArray;
import org.apache.commons.imaging.formats.jpeg.JpegImageParser;
public class JpegImageParserCrash {
public static byte[] btoa(String base64) {
return Base64.getDecoder().decode(base64);
}
public static void main(String[] args) {
byte[] input = btoa("/9j/wAAIQf//");
try {
new JpegImageParser().getBufferedImage(new ByteSourceArray(input),
new HashMap<>());
} catch (IOException | ImageReadException e) {}
}
}
{code}
The stack trace is:
{noformat}
Exception in thread "main" java.lang.NegativeArraySizeException: -1
at
org.apache.commons.imaging.formats.jpeg.segments.SofnSegment.(SofnSegment.java:72)
at
org.apache.commons.imaging.formats.jpeg.segments.SofnSegment.(SofnSegment.java:56)
at
org.apache.commons.imaging.formats.jpeg.decoder.JpegDecoder.visitSegment(JpegDecoder.java:235)
at
org.apache.commons.imaging.formats.jpeg.JpegUtils.traverseJFIF(JpegUtils.java:91)
at
org.apache.commons.imaging.formats.jpeg.decoder.JpegDecoder.decode(JpegDecoder.java:543)
at
org.apache.commons.imaging.formats.jpeg.JpegImageParser.getBufferedImage(JpegImageParser.java:104)
at JpegImageParserCrash.main(JpegImageParserCrash.java:17)
{noformat}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
