[
https://issues.apache.org/jira/browse/IMAGING-332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17834510#comment-17834510
]
Bruno P. Kinoshita commented on IMAGING-332:
--------------------------------------------
This seems to be fixed in 1.0.0-alpha4, just released (cc [~ggregory] ). I will
update the changes.xml.
{noformat}
kinow@ranma:~/Development/java/apache/commons-imaging$ git tag --contains
0209ed7a8947d7833480f1b8ebd5d9dfd36c4480
commons-imaging-1.0.0-M1-RC1
commons-imaging-1.0.0-alpha4-RC1
rel/commons-imaging-1.0.0-alpha4
kinow@ranma:~/Development/java/apache/commons-imaging$ git log --oneline
0209ed7a8947d7833480f1b8ebd5d9dfd36c4480 | head -n 3
0209ed7a Refactor for arrays
d0fa70d1 More allocation checking
bb37ffe6 Test getImageSize{noformat}
> OutOfMemory with invalid PNG input file
> ---------------------------------------
>
> Key: IMAGING-332
> URL: https://issues.apache.org/jira/browse/IMAGING-332
> Project: Commons Imaging
> Issue Type: Bug
> Components: Format: PNG
> Affects Versions: 1.0-alpha3
> Reporter: Dominik Stadler
> Priority: Blocker
> Labels: fuzzer
> Fix For: 1.0.0-alpha4
>
> Attachments: image-2022-08-14-13-50-28-786.png
>
>
> The following snippet will cause an OOM as it tries to allocate a huge
> byte-array.
>
> {code:java}
> byte[] input =
> java.util.Base64.getDecoder().decode("iVBORw0KGgoAAAAbaUNDUMlDQyCrbAAtGHZwQWdQyUNDIKtsAAAYiVBORw0KGgp1AAAASURBVA0KGgoAAAANSUhEUgAAACAAIAQACAJ/2QAAsnMAAAAAAElFTkRCYAAY");
> Imaging.getAllBufferedImages(input); {code}
> All such allocations should be guarded by some limits, see e.g.
> [https://poi.apache.org/apidocs/dev/org/apache/poi/util/IOUtils.html#safelyAllocate-long-int-]
> for how Apache POI supports a configurable limit for allocations.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
