You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "Jacobo Tarrio (JIRA)" <ji...@apache.org> on 2010/05/04 02:12:55 UTC
[jira] Created: (SANSELAN-39) Sanselan can be made to crash with an
image with wrong data in EXIF header
Sanselan can be made to crash with an image with wrong data in EXIF header
--------------------------------------------------------------------------
Key: SANSELAN-39
URL: https://issues.apache.org/jira/browse/SANSELAN-39
Project: Commons Sanselan
Issue Type: Bug
Reporter: Jacobo Tarrio
Investigating a query of death, I found an image that had an EXIF tag that specified start=1342195485 and length=974913536.
When ByteSourceArray.getBlock(start,length) was called, it passed the test "if (start + length > bytes.length)", as start+length is a negative number. This caused the server to try to allocate a buffer 950 MB big and then save it in "bytes" starting at position 1.3G. This produces either a heap space exhaustion or an array out of bounds error.
The fix would consist of replacing the condition with one like the following:
if (start < 0 || length < 0 || start + length < 0 || start + length > bytes.length)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (SANSELAN-39) Sanselan can be made to crash with an
image with wrong data in EXIF header
Posted by "Charles Matthew Chen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SANSELAN-39?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Charles Matthew Chen closed SANSELAN-39.
----------------------------------------
Resolution: Fixed
I committed a patch along the lines of your suggestion.
http://svn.apache.org/viewcvs?view=rev&rev=995526
> Sanselan can be made to crash with an image with wrong data in EXIF header
> --------------------------------------------------------------------------
>
> Key: SANSELAN-39
> URL: https://issues.apache.org/jira/browse/SANSELAN-39
> Project: Commons Sanselan
> Issue Type: Bug
> Reporter: Jacobo Tarrio
>
> Investigating a query of death, I found an image that had an EXIF tag that specified start=1342195485 and length=974913536.
> When ByteSourceArray.getBlock(start,length) was called, it passed the test "if (start + length > bytes.length)", as start+length is a negative number. This caused the server to try to allocate a buffer 950 MB big and then save it in "bytes" starting at position 1.3G. This produces either a heap space exhaustion or an array out of bounds error.
> The fix would consist of replacing the condition with one like the following:
> if (start < 0 || length < 0 || start + length < 0 || start + length > bytes.length)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.