[IMAGING-203] JPEG segment size not validated - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.0-alpha1
Component/s: Format: JPEG
Labels:
None

Description

Using my AFL-based fuzzer for Java, Kelinci (https://github.com/isstac/kelinci) I found that a NegativeArraySizeException may be throw when attempting to read an invalid JPEG image.

Each JPEG segment starts with a two-byte unsigned integer specifying the segment size. Segments are parsed by org.apache.commons.imaging.formats.jpeg.JpegUtils.traverseJFIF(). As the specified size includes these two bytes, the method subtracts 2 from the size before it is used. It then attempts to allocate a buffer for the segment, which fails if the specified size is 0 or 1. The method should throw an ImageReadException instead.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

NegSegmentSize.JPG
15/Aug/17 21:30
0.0 kB
Rody Kersten
NegSegmentSize.patch
15/Aug/17 21:28
3 kB
Rody Kersten

Activity

People

Assignee:: Bruno P. Kinoshita

Reporter:: Rody Kersten

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 15/Aug/17 21:27

Updated:: 07/Aug/20 04:32

Resolved:: 29/Dec/17 11:40