Merge pull request #122 from kinow/IMAGING-279

[IMAGING-279] Protect against NegativeArraySizeException in BinaryFunctions.readBytes and BinaryFunctions.getRAFBytes
apache · Mar 2, 2021 · 473b644 · 473b644
2 parents aa84b53 + a4a8f1c
commit 473b644
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 0 deletions.
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
@@ -45,6 +45,9 @@ The <action> type attribute can be add,update,fix,remove.
   </properties>
   <body>
     <release version="1.0-alpha3" date="2020-??-??" description="Third 1.0 alpha release">
+      <action issue="IMAGING-279" dev="kinow" type="fix">
+        Array sizes not checked for overflow in BmpImageParser.
+      </action>
       <action dev="kinow" type="update" due-to="Dependabot">
         Bump animal-sniffer-maven-plugin from 1.19 to 1.20 #120.
       </action>

diff --git a/src/main/java/org/apache/commons/imaging/common/BinaryFunctions.java b/src/main/java/org/apache/commons/imaging/common/BinaryFunctions.java
@@ -88,6 +88,9 @@ public static byte[] readBytes(final String name, final InputStream is, final in
 
     public static byte[] readBytes(final String name, final InputStream is, final int length,
             final String exception) throws IOException {
+        if (length < 0) {
+            throw new IOException(String.format("%s, invalid length: %d", exception, length));
+        }
         final byte[] result = new byte[length];
         int read = 0;
         while (read < length) {
@@ -327,6 +330,9 @@ public static int findNull(final byte[] src, final int start) {
 
     public static byte[] getRAFBytes(final RandomAccessFile raf, final long pos,
             final int length, final String exception) throws IOException {
+        if (length < 0) {
+            throw new IOException(String.format("%s, invalid length: %d", exception, length));
+        }
         final byte[] result = new byte[length];
 
         raf.seek(pos);

diff --git a/src/test/java/org/apache/commons/imaging/formats/bmp/BmpImageParserTest.java b/src/test/java/org/apache/commons/imaging/formats/bmp/BmpImageParserTest.java
@@ -17,6 +17,7 @@
 package org.apache.commons.imaging.formats.bmp;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 
 import java.io.File;
 import java.io.IOException;
@@ -45,4 +46,19 @@ public void testImageWidthRounding() throws ImageReadException, IOException {
         final ImageInfo imageInfo = parser.getImageInfo(bmp, Collections.emptyMap());
         assertEquals(73, imageInfo.getPhysicalWidthDpi(), "Expected 72.6 resolution to be rounded to 73");
     }
+
+    /**
+     * For https://issues.apache.org/jira/browse/IMAGING-279.
+     * @throws IOException
+     * @throws ImageReadException
+     */
+    @Test
+    public void testImageForNegativeArraySizeException() throws ImageReadException, IOException {
+        final String file = "/images/bmp/IMAGING-279/negative_array_size_exception.bmp";
+        final File bmp = new File(BmpImageParser.class.getResource(file).getFile());
+        final BmpImageParser parser = new BmpImageParser();
+        assertThrows(IOException.class, () -> {
+            parser.getImageInfo(bmp, Collections.emptyMap());
+        });
+    }
 }
diff --git a/src/test/resources/images/bmp/IMAGING-279/negative_array_size_exception.bmp b/src/test/resources/images/bmp/IMAGING-279/negative_array_size_exception.bmp