Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8191076

PngReader: NegativeArraySizeException in parse_zTXt_chunk when keyword length exceeds chunk size

    Details

      Description

      FULL PRODUCT VERSION :
      - OpenJDK Runtime Environment (build 9.0.1+11)
      - Java(TM) SE Runtime Environment (build 10-ea+30)

      ADDITIONAL OS VERSION INFORMATION :
      Ubuntu Linux 64-bit

      A DESCRIPTION OF THE PROBLEM :
      The ImageReader com.sun.imageio.plugins.png.PNGImageReader throws a NegativeArraySizeException when attempting to read malformed PNG image files with zTXt sections containing keywords where a terminating null byte is not found within the length of the zTXt chunk.


      This bug was found using AFL + JQF.

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      Compile and run the test program attached below. Note: This issue only arises when the ImageReader's "readMetaData" is set to "true".

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      An IOException should be thrown (e.g. javax.imagio.IIOException).
      ACTUAL -
      A java.lang.NegativeArraySizeException is thrown.

      ERROR MESSAGES/STACK TRACES THAT OCCUR :
      Exception in thread "main" java.lang.NegativeArraySizeException
      at java.desktop/com.sun.imageio.plugins.png.PNGImageReader.parse_zTXt_chunk(PNGImageReader.java:660)
      at java.desktop/com.sun.imageio.plugins.png.PNGImageReader.readMetadata(PNGImageReader.java:817)
      at java.desktop/com.sun.imageio.plugins.png.PNGImageReader.readImage(PNGImageReader.java:1310)
      at java.desktop/com.sun.imageio.plugins.png.PNGImageReader.read(PNGImageReader.java:1674)
      at java.desktop/javax.imageio.ImageReader.read(ImageReader.java:938)
      at PngReaderZtxtChunkSizeIssue.main(PngReaderZtxtChunkSizeIssue.java:26

      REPRODUCIBILITY :
      This bug can be reproduced always.

      ---------- BEGIN SOURCE ----------
      import java.io.ByteArrayInputStream;
      import java.io.InputStream;
      import java.util.Base64;
      import javax.imageio.ImageIO;
      import javax.imageio.ImageReader;
      import javax.imageio.stream.ImageInputStream;

      public class PngReaderZtxtChunkSizeIssue {

          // PNG image test case (encoded as base64)
          private static String inputImageBase64 = "iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCA" +
              "AAAAA6fptVAAAABHpUWHRhYWFhYWFhYQAAAApJREFUGFdj+A8AAQEBAFpNb/EAAAAASUVORK5CYIIK";

          public static void main(String[] args) throws java.io.IOException {
              // Convert test case into input stream
              byte[] inputBytes = Base64.getDecoder().decode(inputImageBase64);
              InputStream in = new ByteArrayInputStream(inputBytes);

              // Make sure we are testing PNGImageReader
              ImageReader reader = ImageIO.getImageReadersByFormatName("png").next();
              assert reader.getClass().getName().equals("com.sun.imageio.plugins.png.PNGImageReader");

              // Set input and mark ignoreMetadata = false
              reader.setInput(ImageIO.createImageInputStream(in), true, false);

              reader.read(0); // Throws java.lang.NegativeArraySizeException!
              reader.dispose();
          }
      }
      ---------- END SOURCE ----------

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                jdv Jayathirth D V
                Reporter:
                webbuggrp Webbug Group
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: