This is an automated email from the ASF dual-hosted git repository. kinow pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/commons-imaging.git
The following commit(s) were added to refs/heads/master by this push: new 9b1c46e IMAGING-325: Throw error if the color palette length is negative 9b1c46e is described below commit 9b1c46ea51e70d4d30040014d930cf19200f6660 Author: Bruno P. Kinoshita <ki...@apache.org> AuthorDate: Sat Jan 22 23:34:30 2022 +1300 IMAGING-325: Throw error if the color palette length is negative --- src/changes/changes.xml | 4 ++++ .../apache/commons/imaging/formats/bmp/BmpImageParser.java | 4 ++++ .../apache/commons/imaging/formats/bmp/BmpReadTest.java | 9 +++++++++ .../crash-3afb569de74522535ef65922233e1920455cdc14.bmp | Bin 0 -> 74 bytes 4 files changed, 17 insertions(+) diff --git a/src/changes/changes.xml b/src/changes/changes.xml index 95a90b0..313921a 100644 --- a/src/changes/changes.xml +++ b/src/changes/changes.xml @@ -45,6 +45,10 @@ The <action> type attribute can be add,update,fix,remove. </properties> <body> <release version="1.0-alpha3" date="2022-??-??" description="Third 1.0 alpha release"> + <action issue="IMAGING-325" dev="kinow" type="fix" due-to="Jin Wang"> + Prevent OutOfMemoryError in BmpImageParser. This can happen when the color palette length is + a large negative number. + </action> <action issue="IMAGING-320" dev="kinow" type="fix" due-to="Gary Lucas"> Read TIFFs with 32-bit samples. </action> diff --git a/src/main/java/org/apache/commons/imaging/formats/bmp/BmpImageParser.java b/src/main/java/org/apache/commons/imaging/formats/bmp/BmpImageParser.java index 003dd97..ea956e5 100644 --- a/src/main/java/org/apache/commons/imaging/formats/bmp/BmpImageParser.java +++ b/src/main/java/org/apache/commons/imaging/formats/bmp/BmpImageParser.java @@ -385,6 +385,10 @@ public class BmpImageParser extends ImageParser<BmpImagingParameters> { + bhi.compression); } + if (paletteLength < 0) { + throw new ImageReadException("BMP: Invalid negative palette length: " + paletteLength); + } + byte[] colorTable = null; if (paletteLength > 0) { colorTable = readBytes("ColorTable", is, paletteLength, diff --git a/src/test/java/org/apache/commons/imaging/formats/bmp/BmpReadTest.java b/src/test/java/org/apache/commons/imaging/formats/bmp/BmpReadTest.java index 7e31907..6b30bd8 100644 --- a/src/test/java/org/apache/commons/imaging/formats/bmp/BmpReadTest.java +++ b/src/test/java/org/apache/commons/imaging/formats/bmp/BmpReadTest.java @@ -17,6 +17,7 @@ package org.apache.commons.imaging.formats.bmp; import static org.junit.jupiter.api.Assertions.assertNotNull; +import static org.junit.jupiter.api.Assertions.assertThrows; import java.awt.image.BufferedImage; import java.io.File; @@ -76,4 +77,12 @@ public class BmpReadTest extends BmpBaseTest { "/bmp/5/@broken/timeout-bd15dbfa26b4e88070de540c6603039e8a88626f"); new BmpImageParser().dumpImageFile(new ByteSourceFile(inputFile)); } + + @Test + public void testNegativePaletteLength() throws ImageReadException, IOException { + final String input = "/images/bmp/IMAGING-325/crash-3afb569de74522535ef65922233e1920455cdc14.bmp"; + final String location = BmpReadTest.class.getResource(input).getFile(); + final File inputFile = new File(location); + assertThrows(ImageReadException.class, () -> new BmpImageParser().dumpImageFile(new ByteSourceFile(inputFile))); + } } diff --git a/src/test/resources/images/bmp/IMAGING-325/crash-3afb569de74522535ef65922233e1920455cdc14.bmp b/src/test/resources/images/bmp/IMAGING-325/crash-3afb569de74522535ef65922233e1920455cdc14.bmp new file mode 100644 index 0000000..479105a Binary files /dev/null and b/src/test/resources/images/bmp/IMAGING-325/crash-3afb569de74522535ef65922233e1920455cdc14.bmp differ