[jira] [Work logged] (IMAGING-279) Array sizes not checked for overflow in BmpImageParser

Mon, 01 Mar 2021 18:27:04 -0800 


     [ 
https://issues.apache.org/jira/browse/IMAGING-279?focusedWorklogId=559714&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-559714
 ]

ASF GitHub Bot logged work on IMAGING-279:
------------------------------------------

                Author: ASF GitHub Bot
            Created on: 02/Mar/21 02:26
            Start Date: 02/Mar/21 02:26
    Worklog Time Spent: 10m 
      Work Description: kinow opened a new pull request #122:
URL: https://github.com/apache/commons-imaging/pull/122


   The function receives a `length` parameter that can be either hard-coded in 
the caller function, or be retrieved from an image that is being parsed.
   
   If the latter, then the image could contain invalid data, such as values 
that overflow, or negative values. If the values provided are negative, then 
`new byte[-1]` or equivalent would raise a `NegativeArraySizeException` as 
reported in the JIRA issue.
   
   This pull request simply prevents that from happening by raising an 
`IOEXception` (as in other parts of the `BinaryFunctions` code).
   
   That way the `BmpImageParser` and the rest of the code would be safe from 
the runtime `NegativeArraySizeException`.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]


Issue Time Tracking
-------------------

            Worklog Id:     (was: 559714)
    Remaining Estimate: 0h
            Time Spent: 10m

> Array sizes not checked for overflow in BmpImageParser
> ------------------------------------------------------
>
>                 Key: IMAGING-279
>                 URL: https://issues.apache.org/jira/browse/IMAGING-279
>             Project: Commons Imaging
>          Issue Type: Bug
>          Components: Format: BMP
>    Affects Versions: 1.0-alpha2
>            Reporter: Fabian Meumertzheim
>            Assignee: Bruno P. Kinoshita
>            Priority: Major
>             Fix For: 1.0-alpha3
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> In BmpImageParser.readImageContents, it is not verified that 
> [imageDataSize|https://gitbox.apache.org/repos/asf?p=commons-imaging.git;a=blob;f=src/main/java/org/apache/commons/imaging/formats/bmp/BmpImageParser.java;h=09d560011ebbde5ea8df65a30ea9692c2e697d17;hb=HEAD#l441]
>  does not overflow. If it does, BinaryFunctions.readBytes crashes with an 
> uncaught NegativeArraySizeException.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to