Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8190997

PNGImageReader throws NullPointerException when PLTE section is missing

    Details

    • Subcomponent:
    • Resolved In Build:
      b01
    • CPU:
      x86_64
    • OS:
      generic

      Description

      FULL PRODUCT VERSION :
      openjdk version "9.0.1"
      OpenJDK Runtime Environment (build 9.0.1+11)
      OpenJDK 64-Bit Server VM (build 9.0.1+11, mixed mode)

      ADDITIONAL OS VERSION INFORMATION :
      Ubuntu Linux 64-bit

      A DESCRIPTION OF THE PROBLEM :
      The ImageReader com.sun.imageio.plugins.png.PNGImageReader throws a NullPointerException when attempting to read malformed PNG image files whose IHDR specifies color type of 3 (i.e. each pixel is a palette index) but does not contain a PLTE section. This exception is not in the API spec; instead an IOException should be thrown indicating that the input is malformed.

      The exception is thrown in PngImageReader#getImageTypes() inside a switch-case statement with `case PNG_COLOR_PALETTE`: Here, it is possible for `metadata.PLTE_red`, `metadata.PLTE_green` and `metadata.PLTE_blue` to be NULL, simply because a PLTE section did not exist in the image file.

      An easy fix for this would be to check if `metadata.PLTE_present` is true in this case block (as this is set whenever a PLTE section is read), and if not, throw an IIOException indicating that the image is malformed.

      This bug was found using AFL.

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      Compile and run the test program attached below.

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      An IOException should be thrown (e.g. javax.imagio.IIOException).
      ACTUAL -
      A java.lang.NullPointerException is thrown.

      ERROR MESSAGES/STACK TRACES THAT OCCUR :
      Exception in thread "main" java.lang.NullPointerException
      at java.desktop/com.sun.imageio.plugins.png.PNGImageReader.getImageTypes(PNGImageReader.java:1491)
      at java.desktop/com.sun.imageio.plugins.png.PNGImageReader.readImage(PNGImageReader.java:1325)
      at java.desktop/com.sun.imageio.plugins.png.PNGImageReader.read(PNGImageReader.java:1627)
      at java.desktop/javax.imageio.ImageIO.read(ImageIO.java:1468)
      at java.desktop/javax.imageio.ImageIO.read(ImageIO.java:1363)
      at PngReaderNPEIssue.main(PngReaderNPEIssue.java:21)

      REPRODUCIBILITY :
      This bug can be reproduced always.

      ---------- BEGIN SOURCE ----------
      import java.io.ByteArrayInputStream;
      import java.io.InputStream;
      import java.util.Base64;
      import javax.imageio.ImageIO;

      public class PngReaderNPEIssue {

      // PNG image test case (encoded as base64)
      private static String inputImageBase64 = "iVBORw0KGgoAAAANSUhEUgAAACA" +
      "AAAAgCAMAAABEpIrGAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAA" +
      "AAA9QABBFZszM////AAAAM5lmmf/MPkyvFQAAAGFJREFUeNrckzEOwCAMA5OY/7+5NBQ" +
      "J1DphYaA3sPgkCwtEE0TVAm7BCkfMBaHgp4JvFwjPulSoITAabwHwk1a0PBB6TSBM+bc" +
      "w5ERIlkQiTEPuqTj2ydWbSUhEUgAAUWzl8yZcAgwA0mYDNbDXy5oAAA==";

      public static void main(String[] args) throws java.io.IOException {
      // Convert test case into input stream
      byte[] inputBytes = Base64.getDecoder().decode(inputImageBase64);
      InputStream in = new ByteArrayInputStream(inputBytes);

      // Attempt to read PNG
      ImageIO.read(in); // Throws java.lang.NullPointerException!
      }
      }
      ---------- END SOURCE ----------

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                jdv Jayathirth D V
                Reporter:
                webbuggrp Webbug Group
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: