Bruno P. Kinoshita created IMAGING-326:
------------------------------------------
Summary: Update to Java 11 and use JDK's multiplyExact to avoid
integer overflows
Key: IMAGING-326
URL: https://issues.apache.org/jira/browse/IMAGING-326
Project: Commons Imaging
Issue Type: Improvement
Components: imaging.*
Affects Versions: 1.0-alpha2
Reporter: Bruno P. Kinoshita
Fix For: 1.0
See PR
[https://github.com/apache/commons-imaging/pull/196#discussion_r790148843] for
context.
Integer overflow is a common source of problems in Imaging. The work on this
issue is to address when that could happen and prevent it of doing so.
Java 11 includes methods like
[multiplyExact|https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/lang/Math.html#multiplyExact(int,int)]
which are convenient for us.
Given the next release will be 1.0-alpha3, I think the 1.0 final should be cut
by Q3 or Q4 this year (or even Q1 next year). So upgrading to JVM 11 should be
fine.
NOTE: we should start fixing it by the integer overflow in the PR linked above.
Then go over the rest of the code, applying it to other places where integers
are multipled/added/etc, and where the values could result in OOM or other
annoying security issues (i.e. we don't need to blindly replace every +
operation by addExactly).
-Bruno
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
