This is an automated email from the ASF dual-hosted git repository. kinow pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/commons-imaging.git
The following commit(s) were added to refs/heads/master by this push: new 197ed25 [IMAGING-302] Throw ImageReadException if the JPEG parser is given an image with a negative number of segments in SOF0Segment new f9043c5 Merge pull request #147 from kinow/IMAGING-302 197ed25 is described below commit 197ed2560bdaaa7cea31b064557220673e65bbd7 Author: Bruno P. Kinoshita <ki...@apache.org> AuthorDate: Sun May 9 15:52:40 2021 +1200 [IMAGING-302] Throw ImageReadException if the JPEG parser is given an image with a negative number of segments in SOF0Segment --- src/changes/changes.xml | 3 +++ .../imaging/formats/jpeg/segments/SofnSegment.java | 8 +++++-- .../commons/imaging/formats/jpeg/JpegReadTest.java | 24 +++++++++++++++++++++ ...se-minimized-ImagingJpegFuzzer-4548690447564800 | Bin 0 -> 12 bytes 4 files changed, 33 insertions(+), 2 deletions(-) diff --git a/src/changes/changes.xml b/src/changes/changes.xml index a0ed065..b8881d0 100644 --- a/src/changes/changes.xml +++ b/src/changes/changes.xml @@ -129,6 +129,9 @@ The <action> type attribute can be add,update,fix,remove. <action issue="IMAGING-301" dev="kinow" type="update" due-to="OSS-Fuzz"> Throw ImageReadException if the GIF parser is given an image with invalid Lzw table instead of throwing IndexOutOfBoundsException. </action> + <action issue="IMAGING-302" dev="kinow" type="update" due-to="OSS-Fuzz"> + Throw ImageReadException if the JPEG parser is given an image with a negative number of segments in SOF0Segment. + </action> </release> <release version="1.0-alpha2" date="2020-08-01" description="Second 1.0 alpha release"> <action issue="IMAGING-258" dev="kinow" type="update" due-to="Gary Lucas"> diff --git a/src/main/java/org/apache/commons/imaging/formats/jpeg/segments/SofnSegment.java b/src/main/java/org/apache/commons/imaging/formats/jpeg/segments/SofnSegment.java index df319ca..748c868 100644 --- a/src/main/java/org/apache/commons/imaging/formats/jpeg/segments/SofnSegment.java +++ b/src/main/java/org/apache/commons/imaging/formats/jpeg/segments/SofnSegment.java @@ -25,6 +25,7 @@ import java.io.InputStream; import java.util.logging.Level; import java.util.logging.Logger; +import org.apache.commons.imaging.ImageReadException; import org.apache.commons.imaging.formats.jpeg.JpegConstants; public class SofnSegment extends Segment { @@ -52,12 +53,12 @@ public class SofnSegment extends Segment { } } - public SofnSegment(final int marker, final byte[] segmentData) throws IOException { + public SofnSegment(final int marker, final byte[] segmentData) throws IOException, ImageReadException { this(marker, segmentData.length, new ByteArrayInputStream(segmentData)); } public SofnSegment(final int marker, final int markerLength, final InputStream is) - throws IOException { + throws IOException, ImageReadException { super(marker, markerLength); if (LOGGER.isLoggable(Level.FINEST)) { @@ -69,6 +70,9 @@ public class SofnSegment extends Segment { width = read2Bytes("Image_Width", is, "Not a Valid JPEG File", getByteOrder()); numberOfComponents = readByte("Number_of_components", is, "Not a Valid JPEG File"); + if (numberOfComponents < 0) { + throw new ImageReadException("The number of components in a SOF0Segment cannot be less than 0!"); + } components = new Component[numberOfComponents]; for (int i = 0; i < numberOfComponents; i++) { final int componentIdentifier = readByte("ComponentIdentifier", is, diff --git a/src/test/java/org/apache/commons/imaging/formats/jpeg/JpegReadTest.java b/src/test/java/org/apache/commons/imaging/formats/jpeg/JpegReadTest.java index cbab4a3..20b221e 100644 --- a/src/test/java/org/apache/commons/imaging/formats/jpeg/JpegReadTest.java +++ b/src/test/java/org/apache/commons/imaging/formats/jpeg/JpegReadTest.java @@ -19,9 +19,12 @@ package org.apache.commons.imaging.formats.jpeg; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertNotNull; +import static org.junit.jupiter.api.Assertions.assertThrows; import java.awt.image.BufferedImage; import java.io.File; +import java.io.IOException; +import java.util.Collections; import java.util.HashMap; import java.util.Map; import java.util.stream.Stream; @@ -31,7 +34,9 @@ import org.apache.commons.imaging.ImageReadException; import org.apache.commons.imaging.Imaging; import org.apache.commons.imaging.ImagingConstants; import org.apache.commons.imaging.common.ImageMetadata; +import org.apache.commons.imaging.common.bytesource.ByteSourceFile; import org.apache.commons.imaging.internal.Debug; +import org.junit.jupiter.api.Test; import org.junit.jupiter.params.ParameterizedTest; import org.junit.jupiter.params.provider.MethodSource; @@ -67,4 +72,23 @@ public class JpegReadTest extends JpegBaseTest { } } + /** + * The JPEG image data may contain a negative number of segments, + * in which case the parser could throw a NegativeArraySizeException. + * + * <p>This test case verifies that we are handling that scenario, and + * throwing an ImageReadException instead.</p> + * + * <p>See Google OSS Fuzz issue 33458</p> + * + * @throws IOException if it fails to read the test image + */ + @Test + public void testUncaughtExceptionOssFuzz33458() throws IOException { + final String input = "/images/jpeg/oss-fuzz-33458/clusterfuzz-testcase-minimized-ImagingJpegFuzzer-4548690447564800"; + final String file = JpegReadTest.class.getResource(input).getFile(); + final JpegImageParser parser = new JpegImageParser(); + assertThrows(ImageReadException.class, () -> parser.getBufferedImage(new ByteSourceFile(new File(file)), Collections.emptyMap())); + } + } diff --git a/src/test/resources/images/jpeg/oss-fuzz-33458/clusterfuzz-testcase-minimized-ImagingJpegFuzzer-4548690447564800 b/src/test/resources/images/jpeg/oss-fuzz-33458/clusterfuzz-testcase-minimized-ImagingJpegFuzzer-4548690447564800 new file mode 100644 index 0000000..6c1dad1 Binary files /dev/null and b/src/test/resources/images/jpeg/oss-fuzz-33458/clusterfuzz-testcase-minimized-ImagingJpegFuzzer-4548690447564800 differ