You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "Brien Voorhees (JIRA)" <ji...@apache.org> on 2010/01/06 02:27:54 UTC

[jira] Updated: (SANSELAN-17) integer overflow unhandled

     [ https://issues.apache.org/jira/browse/SANSELAN-17?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Brien Voorhees updated SANSELAN-17:
-----------------------------------

    Attachment: crash.jpeg

I'm trying to use Sanselan to analyze images in a live mailstream and unfortunately it crashes with OutOfMemory on malformed jpeg images.  

Attached is an example.  

Below is the verbose output and a stack trace :

blockType 1005 (0x3ed)
blockSize 16 (0x10)
blockType 1037 (0x40d)
blockSize 4 (0x4)
blockType 1011 (0x3f3)
blockSize 8 (0x8)
blockType 1034 (0x40a)
blockSize 1 (0x1)
blockType 10000 (0x2710)
blockSize 10 (0xa)
blockType 1013 (0x3f5)
blockSize 72 (0x48)
blockType 1016 (0x3f8)
blockSize 112 (0x70)
blockType 1032 (0x408)
blockSize 16 (0x10)
blockType 1044 (0x414)
blockSize 4 (0x4)
blockType 1036 (0x40c)
blockSize 568 (0x238)
blockType 4000 (0xfa0)
blockSize 84 (0x54)
blockType 4001 (0xfa1)
blockSize 86622 (0x1525e)
Invalid Image Resource Block data
blockType 28519 (0x6f67)
blockNameLength 108 (0x6c)
blockSize 1811939328 (0x6c000000)

Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
	at org.apache.sanselan.common.BinaryInputStream.readByteArray(BinaryInputStream.java:472)
	at org.apache.sanselan.formats.jpeg.iptc.IPTCParser.parseAllBlocks(IPTCParser.java:323)
	at org.apache.sanselan.formats.jpeg.iptc.IPTCParser.parsePhotoshopSegment(IPTCParser.java:116)
	at org.apache.sanselan.formats.jpeg.iptc.IPTCParser.parsePhotoshopSegment(IPTCParser.java:107)
	at org.apache.sanselan.formats.jpeg.segments.App13Segment.parsePhotoshopSegment(App13Segment.java:80)
	at org.apache.sanselan.formats.jpeg.JpegImageParser.getPhotoshopMetadata(JpegImageParser.java:607)
	at org.apache.sanselan.formats.jpeg.JpegImageParser.getMetadata(JpegImageParser.java:309)
	at org.apache.sanselan.Sanselan.getMetadata(Sanselan.java:978)
	at org.apache.sanselan.Sanselan.getMetadata(Sanselan.java:971)


> integer overflow unhandled
> --------------------------
>
>                 Key: SANSELAN-17
>                 URL: https://issues.apache.org/jira/browse/SANSELAN-17
>             Project: Commons Sanselan
>          Issue Type: Bug
>    Affects Versions: 0.94-incubator
>         Environment: win32, 32 bit operating systems
>            Reporter: Greg Squires
>         Attachments: crash.jpeg
>
>   Original Estimate: 24h
>  Remaining Estimate: 24h
>
> This function can throw an Exception in ByteSourceArray.java due to a negative byte[] allocation size. The length argument has been found to wrap when called from IccProfileParser.java.
> In 64bit machines, issues related to incorrect metadata, or ICC data can lead to incorrect and excess memory allocations. These large numbers however cause 32bit negative signed values.
> 	public byte[] getBlock(int start, int length) throws IOException
> 	{
> 		if (start + length > bytes.length)
> 			throw new IOException("Could not read block (block start: " + start
> 					+ ", block length: " + length + ", data length: "
> 					+ bytes.length + ").");
> 		byte result[] = new byte[length];
> 		System.arraycopy(bytes, start, result, 0, length);
> 		return result;
> 	}

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.