From 070cc627f4e6d61913dc52d2caef798532d7da41 Mon Sep 17 00:00:00 2001
From: "Bruno P. Kinoshita" <kinow@apache.org>
Date: Tue, 2 Mar 2021 15:23:09 +1300
Subject: [PATCH 1/3] [IMAGING-279] Protect against NegativeArraySizeException
 in BinaryFunctions.readBytes and BinaryFunctions.getRAFBytes

---
 .../org/apache/commons/imaging/common/BinaryFunctions.java  | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/main/java/org/apache/commons/imaging/common/BinaryFunctions.java b/src/main/java/org/apache/commons/imaging/common/BinaryFunctions.java
index bc39ccfa98..9d2051f8b9 100644
--- a/src/main/java/org/apache/commons/imaging/common/BinaryFunctions.java
+++ b/src/main/java/org/apache/commons/imaging/common/BinaryFunctions.java
@@ -88,6 +88,9 @@ public static byte[] readBytes(final String name, final InputStream is, final in
 
     public static byte[] readBytes(final String name, final InputStream is, final int length,
             final String exception) throws IOException {
+        if (length < 0) {
+            throw new IOException(String.format("%s, invalid length: %d", exception, length));
+        }
         final byte[] result = new byte[length];
         int read = 0;
         while (read < length) {
@@ -327,6 +330,9 @@ public static int findNull(final byte[] src, final int start) {
 
     public static byte[] getRAFBytes(final RandomAccessFile raf, final long pos,
             final int length, final String exception) throws IOException {
+        if (length < 0) {
+            throw new IOException(String.format("%s, invalid length: %d", exception, length));
+        }
         final byte[] result = new byte[length];
 
         raf.seek(pos);

From ef80e4776e487dfe6c46573e528ffaca35164c6d Mon Sep 17 00:00:00 2001
From: "Bruno P. Kinoshita" <kinow@apache.org>
Date: Wed, 3 Mar 2021 06:27:06 +1300
Subject: [PATCH 2/3] [IMAGING-279] add unit test with user-provided image

---
 .../imaging/formats/bmp/BmpImageParserTest.java |  16 ++++++++++++++++
 .../negative_array_size_exception.bmp           | Bin 0 -> 70 bytes
 2 files changed, 16 insertions(+)
 create mode 100644 src/test/resources/images/bmp/IMAGING-279/negative_array_size_exception.bmp

diff --git a/src/test/java/org/apache/commons/imaging/formats/bmp/BmpImageParserTest.java b/src/test/java/org/apache/commons/imaging/formats/bmp/BmpImageParserTest.java
index 13ef1d85c6..d3dc7e30ad 100644
--- a/src/test/java/org/apache/commons/imaging/formats/bmp/BmpImageParserTest.java
+++ b/src/test/java/org/apache/commons/imaging/formats/bmp/BmpImageParserTest.java
@@ -17,6 +17,7 @@
 package org.apache.commons.imaging.formats.bmp;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 
 import java.io.File;
 import java.io.IOException;
@@ -45,4 +46,19 @@ public void testImageWidthRounding() throws ImageReadException, IOException {
         final ImageInfo imageInfo = parser.getImageInfo(bmp, Collections.emptyMap());
         assertEquals(73, imageInfo.getPhysicalWidthDpi(), "Expected 72.6 resolution to be rounded to 73");
     }
+
+    /**
+     * For https://issues.apache.org/jira/browse/IMAGING-279.
+     * @throws IOException
+     * @throws ImageReadException
+     */
+    @Test
+    public void testImageForNegativeArraySizeException() throws ImageReadException, IOException {
+        final String file = "/images/bmp/IMAGING-279/negative_array_size_exception.bmp";
+        final File bmp = new File(BmpImageParser.class.getResource(file).getFile());
+        final BmpImageParser parser = new BmpImageParser();
+        assertThrows(IOException.class, () -> {
+            parser.getImageInfo(bmp, Collections.emptyMap());
+        });
+    }
 }
diff --git a/src/test/resources/images/bmp/IMAGING-279/negative_array_size_exception.bmp b/src/test/resources/images/bmp/IMAGING-279/negative_array_size_exception.bmp
new file mode 100644
index 0000000000000000000000000000000000000000..7a33b86e3aef0bfb6216b02b024209ead352ade6
GIT binary patch
literal 70
zcmZ?rHDhF8VEF(4e=Lyl2jUMv_Lu)Z7#JBCYk*vatqlKv|Nr*&+ZUkt`=5WmG5!Xz
L{{R1pVE+UFy}~Qj

literal 0
HcmV?d00001


From a4a8f1c41b4e6c5e5593d0eef791b52b60f9e974 Mon Sep 17 00:00:00 2001
From: "Bruno P. Kinoshita" <kinow@apache.org>
Date: Wed, 3 Mar 2021 06:32:18 +1300
Subject: [PATCH 3/3] [IMAGING-279] changelog

---
 src/changes/changes.xml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index ffb9cf4770..e9c80c4448 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -45,6 +45,9 @@ The <action> type attribute can be add,update,fix,remove.
   </properties>
   <body>
     <release version="1.0-alpha3" date="2020-??-??" description="Third 1.0 alpha release">
+      <action issue="IMAGING-279" dev="kinow" type="fix">
+        Array sizes not checked for overflow in BmpImageParser.
+      </action>
       <action dev="kinow" type="update" due-to="Dependabot">
         Bump animal-sniffer-maven-plugin from 1.19 to 1.20 #120.
       </action>