Michael Groß created IMAGING-167:
------------------------------------
Summary: Possible infinite loop at XpmImageParser::writeImage(...)
Key: IMAGING-167
URL: https://issues.apache.org/jira/browse/IMAGING-167
Project: Commons Imaging
Issue Type: Bug
Reporter: Michael Groß
While researching for IMAGING-164 I found the following code at
org.apache.commons.imaging.formats.xpm.XpmImageParser::writeImage(...)
{noformat}
final PaletteFactory paletteFactory = new PaletteFactory();
....
SimplePalette palette = null;
int maxColors = WRITE_PALETTE.length;
int charsPerPixel = 1;
while (palette == null) {
palette = paletteFactory.makeExactRgbPaletteSimple(src,
hasTransparency ? maxColors - 1 : maxColors);
if (palette == null) {
maxColors *= WRITE_PALETTE.length;
charsPerPixel++;
}
}
{noformat}
The while loop has no exit when *maxColors* or *charsPerPixel* - both int
values - overflow. They can overflow because
PaletteFactory.makeExactRgbPaletteSimple(...) can return null as found in
IMAGING-164.
As far as I know Java doesn't thows an exception when an int flows over - it
just "flips" it so after Integer.MAX_VALUE it goes to Integer.MIN_VALUE. So we
would have an infinite loop.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
