[
https://issues.apache.org/jira/browse/IMAGING-326?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bruno P. Kinoshita updated IMAGING-326:
---------------------------------------
Description:
See PR
[https://github.com/apache/commons-imaging/pull/196#discussion_r790148843] for
context.
Integer overflow is a common source of problems in Imaging. The work on this
issue is to address when that could happen and prevent it of doing so.
Java 8 includes methods like
[multiplyExact|https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/lang/Math.html#multiplyExact(int,int)]
which are convenient for us.
NOTE: we should start fixing it by the integer overflow in the PR linked above.
Then go over the rest of the code, applying it to other places where integers
are multipled/added/etc, and where the values could result in OOM or other
annoying security issues (i.e. we don't need to blindly replace every +
operation by addExactly).
-Bruno
was:
See PR
[https://github.com/apache/commons-imaging/pull/196#discussion_r790148843] for
context.
Integer overflow is a common source of problems in Imaging. The work on this
issue is to address when that could happen and prevent it of doing so.
Java 11 includes methods like
[multiplyExact|https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/lang/Math.html#multiplyExact(int,int)]
which are convenient for us.
Given the next release will be 1.0-alpha3, I think the 1.0 final should be cut
by Q3 or Q4 this year (or even Q1 next year). So upgrading to JVM 11 should be
fine.
NOTE: we should start fixing it by the integer overflow in the PR linked above.
Then go over the rest of the code, applying it to other places where integers
are multipled/added/etc, and where the values could result in OOM or other
annoying security issues (i.e. we don't need to blindly replace every +
operation by addExactly).
-Bruno
> Update to Java 11 and use JDK's multiplyExact to avoid integer overflows
> ------------------------------------------------------------------------
>
> Key: IMAGING-326
> URL: https://issues.apache.org/jira/browse/IMAGING-326
> Project: Commons Imaging
> Issue Type: Improvement
> Components: imaging.*
> Affects Versions: 1.0-alpha2
> Reporter: Bruno P. Kinoshita
> Priority: Blocker
> Fix For: 1.0
>
>
> See PR
> [https://github.com/apache/commons-imaging/pull/196#discussion_r790148843]
> for context.
> Integer overflow is a common source of problems in Imaging. The work on this
> issue is to address when that could happen and prevent it of doing so.
> Java 8 includes methods like
> [multiplyExact|https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/lang/Math.html#multiplyExact(int,int)]
> which are convenient for us.
> NOTE: we should start fixing it by the integer overflow in the PR linked
> above. Then go over the rest of the code, applying it to other places where
> integers are multipled/added/etc, and where the values could result in OOM or
> other annoying security issues (i.e. we don't need to blindly replace every +
> operation by addExactly).
> -Bruno
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
