You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@commons.apache.org by "Jacobo Tarrio (JIRA)" <ji...@apache.org> on 2010/05/04 02:12:55 UTC

[jira] Created: (SANSELAN-39) Sanselan can be made to crash with an image with wrong data in EXIF header

Sanselan can be made to crash with an image with wrong data in EXIF header
--------------------------------------------------------------------------

                 Key: SANSELAN-39
                 URL: https://issues.apache.org/jira/browse/SANSELAN-39
             Project: Commons Sanselan
          Issue Type: Bug
            Reporter: Jacobo Tarrio


Investigating a query of death, I found an image that had an EXIF tag that specified start=1342195485 and length=974913536.

When ByteSourceArray.getBlock(start,length) was called, it passed the test "if (start + length > bytes.length)", as start+length is a negative number. This caused the server to try to allocate a buffer 950 MB big and then save it in "bytes" starting at position 1.3G. This produces either a heap space exhaustion or an array out of bounds error.

The fix would consist of replacing the condition with one like the following:

if (start < 0 || length < 0 || start + length < 0 || start + length > bytes.length)

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Closed: (SANSELAN-39) Sanselan can be made to crash with an image with wrong data in EXIF header

Posted by "Charles Matthew Chen (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/SANSELAN-39?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Charles Matthew Chen closed SANSELAN-39.
----------------------------------------

    Resolution: Fixed

I committed a patch along the lines of your suggestion.

http://svn.apache.org/viewcvs?view=rev&rev=995526


> Sanselan can be made to crash with an image with wrong data in EXIF header
> --------------------------------------------------------------------------
>
>                 Key: SANSELAN-39
>                 URL: https://issues.apache.org/jira/browse/SANSELAN-39
>             Project: Commons Sanselan
>          Issue Type: Bug
>            Reporter: Jacobo Tarrio
>
> Investigating a query of death, I found an image that had an EXIF tag that specified start=1342195485 and length=974913536.
> When ByteSourceArray.getBlock(start,length) was called, it passed the test "if (start + length > bytes.length)", as start+length is a negative number. This caused the server to try to allocate a buffer 950 MB big and then save it in "bytes" starting at position 1.3G. This produces either a heap space exhaustion or an array out of bounds error.
> The fix would consist of replacing the condition with one like the following:
> if (start < 0 || length < 0 || start + length < 0 || start + length > bytes.length)

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.