On Mon, 3 Mar 2025 21:13:18 GMT, Jeremy <d...@openjdk.org> wrote: >> This adds support for parsing thumbnails in an APP1 Exif marker. >> >> This builds on an unfinished proposal by Brian Burkhalter (around 2016). In >> that previous work the only additional meta info he parsed was the image >> creation time; this PR similarly includes the same property. (I can't speak >> to why he included that property, but it looks like he has a lot of >> experience with ImageIO so I trust his judgment.) >> >> ~~The test addresses the original images attached to the ticket plus a few >> extra images I found on my computer that include unusual properties. >> (Possibly those images are malformed, but if they exist in the wild and >> other platforms support them then I'd prefer to support them too.)~~ >> >> The images used in this test are contributed by Brian and me. > > Jeremy has updated the pull request with a new target base due to a merge or > a rebase. The incremental webrev excludes the unrelated changes brought in by > the merge/rebase. The pull request contains 31 additional commits since the > last revision: > > - Merge branch 'master' into JDK-8160327 > - Merge branch 'openjdk:master' into master > - Revert "8160327: trying to placate PR script" > > This reverts commit 52cf81f49a61d80c473b69e4a504eeb1d03c38a3. > - 8160327: trying to placate PR script > > The github script still classifies two of the sample jpgs as executable > files, which it classifies as errors. > - 8160327: trying to placate PR script > > Some github script is concluding: > ``` > Errors > ⚠️ Executable files are not allowed (file: > test/jdk/javax/imageio/plugins/jpeg/JpegExifThumbnail/jfif_and_exif.jpg) > ⚠️ Executable files are not allowed (file: > test/jdk/javax/imageio/plugins/jpeg/JpegExifThumbnail/malicious_looping_IFD.jpg) > ``` > > I'm trying to figure what separates these files from the other JPGs. Maybe > I need to use hyphens instead of underscores...? Let's check. > - 8160327: replacing the "sony-d700" image > > The origins of that image were unknown, so we weren't sure if we had the > rights to store it in the OpenJDK repo. > > I couldn't figure out how to create this kind of uncompressed thumbnail > from an image editing app, so I spliced this new file together manually in a > hex editor using the sony-d700 image as a blueprint. > - 8160327: fix looping ImageFileDirectory vulnerability > > There was a `while` loop that someone could exploit to loop infinitely. > Now we read exactly 2 iterations and stop. > - 8160327: remove bug ID from image file names > > Now the bug ID is mentioned in their parent directory name. > > This is in response to: > https://github.com/openjdk/jdk/pull/22898#issuecomment-2675396159 > - 8160327: replace image of unknown origin with my own image > - 8160327: alphabetize imports > > This is in response to: > https://github.com/openjdk/jdk/pull/22898#discussion_r1956718373 > - ... and 21 more: https://git.openjdk.org/jdk/compare/caf53b2e...b70b0802
Btw, two of the files are executable. To fix this: `chmod 644 file [file ...]` and then commit the change in file permission. ------------- PR Comment: https://git.openjdk.org/jdk/pull/22898#issuecomment-2695550383
