Hello Jay I looked into the bug and the fix.
The root cause of the problem is mal-formed "chunk length" field. Thus the available chunk data to decode could either be larger (or) lesser than the value of "chunk length". The bug seems to target one specific case- where available data is larger than value of "Chunk length". Moreover bug targets few chunks alone. When a "chunk length" is mal-formed, exceptions could be triggered while reading any data (not just the case indicated by the bug). There are 4 critical chunks and as many as 12 ancillary chunks that may appear in a PNG stream. Adding checks for every individual case would flood the PNG image reader with if (...) checks. Can you think of any better solution to detect mal-formed "chunk length" and chunk data ? How about using the chunk's CRC field ? You could generate CRC with data read from the stream and compare it against the CRC stored for the chunk to validate. Thank you Have a good day Prahalad N. ----- Original Message ----- From: Jayathirth D V Sent: Monday, January 22, 2018 4:20 PM To: 2d-dev Subject: [OpenJDK 2D-Dev] [11] RFR JDK-8191023: PngReader throws NegativeArraySizeException when keyword length exceeds chunk size Hello All, Please review the following fix in JDK11 : Bug : https://bugs.openjdk.java.net/browse/JDK-8191023 Webrev : http://cr.openjdk.java.net/~jdv/8191023/webrev.00/ Note : Submitter has raised 3 bugs JDK-8191023 , JDK-8191076 , JDK-8191109 with similar issue but in 3 different PNG chunks. I have closed two bugs and kept first opened JBS bug for this issue. From the closed bug test samples are picked and merged into one test case. Issue: When the issue was reported PNGImageReader was throwing NegativeArraySizeException when chunk length is malformed and it exceeds keyword length. After changes present in https://bugs.openjdk.java.net/browse/JDK-8190332 the NegativeArraySizeException is wrapped inside IIOException. Exception in thread "main" javax.imageio.IIOException: Caught exception during read: at java.desktop/com.sun.imageio.plugins.png.PNGImageReader.read(PNGImageReader.java:1707) at java.desktop/javax.imageio.ImageIO.read(ImageIO.java:1468) at java.desktop/javax.imageio.ImageIO.read(ImageIO.java:1363) at PngReaderTextChunkKeywordSizeTest.main(PngReaderTextChunkKeywordSizeTest.java:19) Caused by: java.lang.NegativeArraySizeException at java.desktop/com.sun.imageio.plugins.png.PNGImageReader.parse_tEXt_chunk(PNGImageReader.java:563) at java.desktop/com.sun.imageio.plugins.png.PNGImageReader.readMetadata(PNGImageReader.java:816) at java.desktop/com.sun.imageio.plugins.png.PNGImageReader.readImage(PNGImageReader.java:1331) at java.desktop/com.sun.imageio.plugins.png.PNGImageReader.read(PNGImageReader.java:1700) Root cause : Since the chunk length present is lesser than keyword length. When we try to parse individual chunks and create byte Array to store remaining data in the chunk. We calculate the byte array size from chunk length and size of alreadt parsed data like keyword (like chunkLength - keyword.length() - 2). This results in negative value and it causes NegativeArraySizeException when we try to create the byte Array. Solution: Add check in parse function of all the individual chunks to check for negative value for the size of the remaining data to be stored. We have PNG stream data from 3 bugs with which we can reproduce this issue for zTXt, tEXt and iCCP chunk but we don't have stream data for iTXt chunk but still I have added similar check in parse_iTXt_chunk() function also. Thanks, Jay
