On Wed, 15 Feb 2023 23:20:03 GMT, Sergey Bylokhov <[email protected]> wrote:
>> We have check in BMPImageReader, where we verify image data size using BMP >> file size and bitmap offset value. >> But we can't rely on this calculation when we have color palette. Also color >> palette is necessary in BMP when bits per pixel is less than 16 according to >> BMP >> specification(https://learn.microsoft.com/en-us/windows/win32/api/wingdi/ns-wingdi-bitmapv4header). >> >> Now extra checks are added to not perform this check when we have color >> palette or bpp is less than 16. >> >> Also when bitsPerPixel was less than 8 it was getting down-casted to 0. So >> this is also resolved by making this check for >=16bpp and not doing >> (bitsPerPixel / 8) > > src/java.desktop/share/classes/com/sun/imageio/plugins/bmp/BMPImageReader.java > line 596: > >> 594: >> 595: if (metadata.compression == BI_RGB && >> 596: metadata.paletteSize == 0 && > > Do we validate the "metadata.paletteSize" in all code paths above or it can > be substituted to have the wrong value(do we actually trust it)? We read color palette using ReaderUtil.staggeredReadByteStream() at all places to make sure we will not end up in OOME situations. So we can say that paletteSize parameter is well protected. In general, we can't verify checks for all the parameters of header in a stream. This just adds more verification to overcome the regression introduced for reading lower bpp images. ------------- PR: https://git.openjdk.org/jdk/pull/12573
