kinow commented on a change in pull request #196:
URL: https://github.com/apache/commons-imaging/pull/196#discussion_r790188690
##########
File path:
src/main/java/org/apache/commons/imaging/formats/bmp/BmpImageParser.java
##########
@@ -385,6 +385,10 @@ private BmpImageContents readImageContents(final
InputStream is,
+ bhi.compression);
}
+ if (paletteLength < 0) {
+ throw new ImageReadException("Invalid negative palette length: " +
paletteLength);
Review comment:
Maybe we can write some helper functions to identify when an overflow
will occur? Similar to these ones:
https://wiki.sei.cmu.edu/confluence/display/java/NUM00-J.+Detect+or+prevent+integer+overflow
Adding a TODO to replace by
[multiplyExact](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/lang/Math.html#multiplyExact(int,int))
when we move to Java 11?
If that looks good, I'd prefer to fix this issue as-is, and create a
separate issue for this (with a mention to this PR), since there are lots of
other places that would use these functions. WDYT?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
