You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by ki...@apache.org on 2021/11/06 05:21:05 UTC
[commons-imaging] branch master updated: [IMAGING-318] Validate index when accessing GIF parser color table

This is an automated email from the ASF dual-hosted git repository.

kinow pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-imaging.git


The following commit(s) were added to refs/heads/master by this push:
     new 3103957  [IMAGING-318] Validate index when accessing GIF parser color table
3103957 is described below

commit 310395799ed09a6b8848115b847bf0a49bc0ad45
Author: Bruno P. Kinoshita <ki...@apache.org>
AuthorDate: Sat Nov 6 18:11:58 2021 +1300

    [IMAGING-318] Validate index when accessing GIF parser color table
---
 src/changes/changes.xml                                  |   3 +++
 .../commons/imaging/formats/gif/GifImageParser.java      |   3 +++
 .../apache/commons/imaging/formats/gif/GifReadTest.java  |  15 +++++++++++++++
 ...-testcase-minimized-ImagingGifFuzzer-5005192379629568 | Bin 0 -> 36 bytes
 4 files changed, 21 insertions(+)

diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index 34f3291..3691f17 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -165,6 +165,9 @@ The <action> type attribute can be add,update,fix,remove.
       <action issue="IMAGING-317" dev="kinow" type="fix" due-to="OSS-Fuzz">
         A PNG image using indexed color type but no PLTE chunks throws NPE.
       </action>
+      <action issue="IMAGING-318" dev="kinow" type="fix" due-to="OSS-Fuzz">
+        Validate when accessing GIF color table array.
+      </action>
     </release>
     <release version="1.0-alpha2" date="2020-08-01" description="Second 1.0 alpha release">
       <action issue="IMAGING-258" dev="kinow" type="update" due-to="Gary Lucas">
diff --git a/src/main/java/org/apache/commons/imaging/formats/gif/GifImageParser.java b/src/main/java/org/apache/commons/imaging/formats/gif/GifImageParser.java
index 105db38..a8e6a3f 100644
--- a/src/main/java/org/apache/commons/imaging/formats/gif/GifImageParser.java
+++ b/src/main/java/org/apache/commons/imaging/formats/gif/GifImageParser.java
@@ -784,6 +784,9 @@ public class GifImageParser extends ImageParser implements XmpEmbeddable {
                     throw new ImageReadException(String.format("Invalid GIF image data length [%d], greater than the image data length [%d]", id.imageData.length, width));
                 }
                 final int index = 0xff & id.imageData[counter++];
+                if (index >= colorTable.length) {
+                    throw new ImageReadException(String.format("Invalid GIF color table index [%d], greater than the color table length [%d]", index, colorTable.length));
+                }
                 int rgb = colorTable[index];
 
                 if (transparentIndex == index) {
diff --git a/src/test/java/org/apache/commons/imaging/formats/gif/GifReadTest.java b/src/test/java/org/apache/commons/imaging/formats/gif/GifReadTest.java
index 00e2bfd..ea69a9e 100644
--- a/src/test/java/org/apache/commons/imaging/formats/gif/GifReadTest.java
+++ b/src/test/java/org/apache/commons/imaging/formats/gif/GifReadTest.java
@@ -182,4 +182,19 @@ public class GifReadTest extends GifBaseTest {
         final GifImageParser parser = new GifImageParser();
         assertThrows(ImageReadException.class, () -> parser.getBufferedImage(new ByteSourceFile(new File(file)), Collections.emptyMap()));
     }
+
+    /**
+     * Test that invalid indexes are validated when accessing GIF color table array.
+     *
+     * <p>See Google OSS Fuzz issue 34185</p>
+     *
+     * @throws IOException if it fails to read the test image
+     */
+    @Test
+    public void testUncaughtExceptionOssFuzz34185() throws IOException {
+        final String input = "/images/gif/IMAGING-318/clusterfuzz-testcase-minimized-ImagingGifFuzzer-5005192379629568";
+        final String file = GifReadTest.class.getResource(input).getFile();
+        final GifImageParser parser = new GifImageParser();
+        assertThrows(ImageReadException.class, () -> parser.getBufferedImage(new ByteSourceFile(new File(file)), Collections.emptyMap()));
+    }
 }
diff --git a/src/test/resources/images/gif/IMAGING-318/clusterfuzz-testcase-minimized-ImagingGifFuzzer-5005192379629568 b/src/test/resources/images/gif/IMAGING-318/clusterfuzz-testcase-minimized-ImagingGifFuzzer-5005192379629568
new file mode 100644
index 0000000..4624bb5
Binary files /dev/null and b/src/test/resources/images/gif/IMAGING-318/clusterfuzz-testcase-minimized-ImagingGifFuzzer-5005192379629568 differ