[
https://issues.apache.org/jira/browse/IMAGING-167?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Groß updated IMAGING-167:
---------------------------------
Fix Version/s: Patch Needed
> Possible infinite loop at XpmImageParser::writeImage(...)
> ---------------------------------------------------------
>
> Key: IMAGING-167
> URL: https://issues.apache.org/jira/browse/IMAGING-167
> Project: Commons Imaging
> Issue Type: Bug
> Reporter: Michael Groß
> Fix For: Patch Needed
>
>
> While researching for IMAGING-164 I found the following code at
> org.apache.commons.imaging.formats.xpm.XpmImageParser::writeImage(...)
> {noformat}
> final PaletteFactory paletteFactory = new PaletteFactory();
> ....
> SimplePalette palette = null;
> int maxColors = WRITE_PALETTE.length;
> int charsPerPixel = 1;
> while (palette == null) {
> palette = paletteFactory.makeExactRgbPaletteSimple(src,
> hasTransparency ? maxColors - 1 : maxColors);
> if (palette == null) {
> maxColors *= WRITE_PALETTE.length;
> charsPerPixel++;
> }
> }
> {noformat}
> The while loop has no exit when *maxColors* or *charsPerPixel* - both int
> values - overflow. They can overflow because
> PaletteFactory.makeExactRgbPaletteSimple(...) can return null as found in
> IMAGING-164.
> As far as I know Java doesn't thows an exception when an int flows over - it
> just "flips" it so after Integer.MAX_VALUE it goes to Integer.MIN_VALUE. So
> we would have an infinite loop.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
