Backups/TwelveMonkeys
2
0
Fork 0
mirror of https://github.com/haraldk/TwelveMonkeys.git synced 2025-08-04 03:55:28 -04:00
Code Issues Projects Releases Wiki Activity

#329 JPEGImageReader endless loop fix

Browse Source
This commit is contained in:
Harald Kuhr 2018-05-22 21:10:57 +02:00
parent b32a38bf02
commit 7ab72f0161
14 changed files with 251 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
imageio/imageio-jpeg/src/main/java/com/twelvemonkeys/imageio/plugins/jpeg/Application.java
View File

@ -90,7 +90,7 @@ class Application extends Segment {
default:
// Generic APPn segment
byte[] bytes = new byte[length - 2];
byte[] bytes = new byte[Math.max(0, length - 2)];
data.readFully(bytes);
return new Application(marker, identifier, bytes);
}

17
imageio/imageio-jpeg/src/main/java/com/twelvemonkeys/imageio/plugins/jpeg/JPEGImageReader.java
View File

@ -233,7 +233,14 @@ public final class JPEGImageReader extends ImageReaderBase {
@Override
public Iterator<ImageTypeSpecifier> getImageTypes(int imageIndex) throws IOException {
Iterator<ImageTypeSpecifier> types = delegate.getImageTypes(imageIndex);
Iterator<ImageTypeSpecifier> types;
try {
types = delegate.getImageTypes(imageIndex);
}
catch (IndexOutOfBoundsException | NegativeArraySizeException ignore) {
types = null;
}
JPEGColorSpace csType = getSourceCSType(getJFIF(), getAdobeDCT(), getSOF());
if (types == null || !types.hasNext() || csType == JPEGColorSpace.CMYK || csType == JPEGColorSpace.YCCK) {
@ -302,7 +309,7 @@ public final class JPEGImageReader extends ImageReaderBase {
return rawType;
}
}
catch (IIOException | NullPointerException ignore) {
catch (IIOException | NullPointerException | ArrayIndexOutOfBoundsException | NegativeArraySizeException ignore) {
// Fall through
}
@ -933,8 +940,14 @@ public final class JPEGImageReader extends ImageReaderBase {
return new JPEGLosslessDecoderWrapper(this).readRaster(segments, imageInput);
}
try {
return delegate.readRaster(imageIndex, param);
}
catch (IndexOutOfBoundsException knownIssue) {
// com.sun.imageio.plugins.jpeg.JPEGBuffer doesn't do proper sanity check of input data.
throw new IIOException("Corrupt JPEG data: Bad segment length", knownIssue);
}
}
@Override
public RenderedImage readAsRenderedImage(int imageIndex, ImageReadParam param) throws IOException {

15
imageio/imageio-jpeg/src/main/java/com/twelvemonkeys/imageio/plugins/jpeg/JPEGSegmentImageInputStream.java
View File

@ -40,6 +40,7 @@ import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import static com.twelvemonkeys.imageio.metadata.jpeg.JPEGSegmentUtil.isKnownJPEGMarker;
import static com.twelvemonkeys.lang.Validate.notNull;
import static java.util.Arrays.copyOf;
@ -105,24 +106,25 @@ final class JPEGSegmentImageInputStream extends ImageInputStreamImpl {
// Scan forward
while (true) {
long realPosition = stream.getStreamPosition();
int trash = 0;
int marker = stream.readUnsignedByte();
while (!isKnownJPEGMarker(marker)) {
marker &= 0xff;
// Skip bad padding before the marker
while (marker != 0xff) {
marker = stream.readUnsignedByte();
trash++;
realPosition++;
}
marker = 0xff00 | stream.readUnsignedByte();
// Skip over 0xff padding between markers
while (marker == 0xffff) {
realPosition++;
marker = 0xff00 | stream.readUnsignedByte();
trash++;
}
}
if (trash != 0) {
@ -131,6 +133,8 @@ final class JPEGSegmentImageInputStream extends ImageInputStreamImpl {
processWarningOccured(String.format("Corrupt JPEG data: %d extraneous bytes before marker 0x%02x", trash, marker & 0xff));
}
long realPosition = stream.getStreamPosition() - 2;
// We are now handling all important segments ourselves, except APP1/Exif and APP14/Adobe,
// as these segments affects image decoding.
boolean appSegmentMarker = isAppSegmentMarker(marker);
@ -380,6 +384,7 @@ final class JPEGSegmentImageInputStream extends ImageInputStreamImpl {
fetchSegment();
}
catch (EOFException ignore) {
segments.add(new Segment(0, segment.realEnd(), segment.end(), Integer.MAX_VALUE * 2L - segment.realEnd()));
// This might happen if the segment lengths in the stream are bad.
// We MUST leave internal state untouched in this case.
// We ignore this exception here, but client code will get
@ -415,7 +420,7 @@ final class JPEGSegmentImageInputStream extends ImageInputStreamImpl {
repositionAsNecessary();
long bytesLeft = segment.end() - streamPos; // If no more bytes after reposition, we're at EOF
int count = bytesLeft == 0 ? -1 : segment.read(stream, b, off + total, (int) Math.min(len - total, bytesLeft));
int count = bytesLeft <= 0 ? -1 : segment.read(stream, b, off + total, (int) Math.min(len - total, bytesLeft));
if (count == -1) {
// EOF

128
imageio/imageio-jpeg/src/test/java/com/twelvemonkeys/imageio/plugins/jpeg/JPEGImageReaderTest.java
View File

@ -119,7 +119,14 @@ public class JPEGImageReaderTest extends ImageReaderAbstractTest<JPEGImageReader
new TestData(getClassLoaderResource("/broken-jpeg/broken-invalid-adobe-ycc-gray.jpg"), new Dimension(11, 440)), // Image readable, broken metadata (fixable?)
new TestData(getClassLoaderResource("/broken-jpeg/broken-no-sof-ascii-transfer-mode.jpg"), new Dimension(-1, -1)), // Unreadable, can't find SOFn marker
new TestData(getClassLoaderResource("/broken-jpeg/broken-sos-before-sof.jpg"), new Dimension(-1, -1)), // Unreadable, can't find SOFn marker
new TestData(getClassLoaderResource("/broken-jpeg/broken-adobe-segment-length-beyond-eof.jpg"), new Dimension(-1, -1)) // Unreadable, no EOI
new TestData(getClassLoaderResource("/broken-jpeg/broken-adobe-segment-length-beyond-eof.jpg"), new Dimension(-1, -1)), // Unreadable, no EOI
new TestData(getClassLoaderResource("/broken-jpeg/513f29d0-02a8-11e7-9756-6035edb96e79.jpg"), new Dimension(-1, -1)),
new TestData(getClassLoaderResource("/broken-jpeg/51432b02-02a8-11e7-9203-b42b1c43c0c3.jpg"), new Dimension(-1, -1)),
new TestData(getClassLoaderResource("/broken-jpeg/5145e95a-02a8-11e7-8372-4787a7307ab8.jpg"), new Dimension(-1, -1)),
new TestData(getClassLoaderResource("/broken-jpeg/514b20dc-02a8-11e7-92c6-d4fed7b4ebb1.jpg"), new Dimension(-1, -1)),
new TestData(getClassLoaderResource("/broken-jpeg/514c48ea-02a8-11e7-8789-bb75321f404f.jpg"), new Dimension(-1, -1)),
new TestData(getClassLoaderResource("/broken-jpeg/514e4122-02a8-11e7-8c03-0830d60cd585.jpg"), new Dimension(-1, -1)),
new TestData(getClassLoaderResource("/broken-jpeg/513f29d0-02a8-11e7-9756-6035edb96e79.jpg"), new Dimension(-1, -1))
);
// More test data in specific tests below
@ -446,7 +453,7 @@ public class JPEGImageReaderTest extends ImageReaderAbstractTest<JPEGImageReader
@Test
public void testBrokenReadRasterAfterGetMetadataException() throws IOException {
// See issue 107, from PDFBox team
// See issue #107, from PDFBox team
JPEGImageReader reader = createReader();
try {
@ -458,7 +465,6 @@ public class JPEGImageReaderTest extends ImageReaderAbstractTest<JPEGImageReader
}
catch (IOException ignore) {
// Expected IOException here, due to broken file
// ignore.printStackTrace();
}
try {
@ -477,6 +483,122 @@ public class JPEGImageReaderTest extends ImageReaderAbstractTest<JPEGImageReader
}
}
@Test
public void testSPIRecognizesBrokenJPEG() throws IOException {
// TODO: There's a bug in com.sun.imageio.plugins.png.PNGImageReaderSpi.canDecode
// causing files < 8 bytes to not be recognized as anything...
ImageReaderSpi provider = createProvider();
for (TestData data : getBrokenTestData()) {
assertTrue(data.toString(), provider.canDecodeInput(data.getInputStream()));
}
}
// TODO: Consider wrapping the delegate in JPEGImageReader with methods that don't throw
// runtime exceptions, and instead throw IIOException?
@Test
public void testBrokenGetRawImageType() throws IOException {
JPEGImageReader reader = createReader();
try {
for (TestData broken : getBrokenTestData()) {
reader.setInput(broken.getInputStream());
try {
reader.getRawImageType(0);
}
catch (IIOException expected) {
assertNotNull(expected.getMessage());
}
catch (IOException expected) {
if (!(expected instanceof EOFException)) {
assertNotNull(expected.getMessage());
}
}
}
}
finally {
reader.dispose();
}
}
@Test(timeout = 200)
public void testBrokenGetRawImageTypeIgnoreMetadata() throws IOException {
JPEGImageReader reader = createReader();
try {
for (TestData broken : getBrokenTestData()) {
reader.setInput(broken.getInputStream(), true, true);
try {
reader.getRawImageType(0);
}
catch (IIOException expected) {
assertNotNull(expected.getMessage());
}
catch (IOException expected) {
if (!(expected instanceof EOFException)) {
assertNotNull(expected.getMessage());
}
}
}
}
finally {
reader.dispose();
}
}
@Test
public void testBrokenGetImageTypes() throws IOException {
JPEGImageReader reader = createReader();
try {
for (TestData broken : getBrokenTestData()) {
reader.setInput(broken.getInputStream());
try {
reader.getImageTypes(0);
}
catch (IIOException expected) {
assertNotNull(expected.getMessage());
}
catch (IOException expected) {
if (!(expected instanceof EOFException)) {
assertNotNull(expected.getMessage());
}
}
}
}
finally {
reader.dispose();
}
}
@Test(timeout = 200)
public void testBrokenGetImageTypesIgnoreMetadata() throws IOException {
JPEGImageReader reader = createReader();
try {
for (TestData broken : getBrokenTestData()) {
reader.setInput(broken.getInputStream(), true, true);
try {
reader.getImageTypes(0);
}
catch (IIOException expected) {
assertNotNull(expected.getMessage());
}
catch (IOException expected) {
if (!(expected instanceof EOFException)) {
assertNotNull(expected.getMessage());
}
}
}
}
finally {
reader.dispose();
}
}
@Test
public void testBrokenRead() throws IOException {
JPEGImageReader reader = createReader();

28
imageio/imageio-jpeg/src/test/java/com/twelvemonkeys/imageio/plugins/jpeg/JPEGSegmentImageInputStreamTest.java
View File

@ -172,6 +172,32 @@ public class JPEGSegmentImageInputStreamTest {
assertEquals(1061L, length); // Sanity check: same as file size, except padding and the filtered ICC_PROFILE segment
}
@Test
public void testEOFExceptionInSegmentParsingShouldNotCreateBadState2() throws IOException {
ImageInputStream iis = new JPEGSegmentImageInputStream(ImageIO.createImageInputStream(getClassLoaderResource("/broken-jpeg/51432b02-02a8-11e7-9203-b42b1c43c0c3.jpg")));
byte[] buffer = new byte[4096];
// NOTE: This is a simulation of how the native parts of com.sun...JPEGImageReader would read the image...
assertEquals(2, iis.read(buffer, 0, buffer.length));
assertEquals(2, iis.getStreamPosition());
iis.seek(2000); // Just a random postion beyond EOF
assertEquals(2000, iis.getStreamPosition());
// So far, so good (but stream position is now really beyond EOF)...
// This however, will blow up with an EOFException internally (but we'll return -1 to be good)
assertEquals(-1, iis.read(buffer, 0, buffer.length));
assertEquals(-1, iis.read());
assertEquals(2000, iis.getStreamPosition());
// Again, should just continue returning -1 for ever
assertEquals(-1, iis.read());
assertEquals(-1, iis.read(buffer, 0, buffer.length));
assertEquals(2000, iis.getStreamPosition());
}
@Test
public void testEOFExceptionInSegmentParsingShouldNotCreateBadState() throws IOException {
ImageInputStream iis = new JPEGSegmentImageInputStream(ImageIO.createImageInputStream(getClassLoaderResource("/broken-jpeg/broken-no-sof-ascii-transfer-mode.jpg")));
@ -189,10 +215,12 @@ public class JPEGSegmentImageInputStreamTest {
// This however, will blow up with an EOFException internally (but we'll return -1 to be good)
assertEquals(-1, iis.read(buffer, 0, buffer.length));
assertEquals(-1, iis.read());
assertEquals(0x2012, iis.getStreamPosition());
// Again, should just continue returning -1 for ever
assertEquals(-1, iis.read(buffer, 0, buffer.length));
assertEquals(-1, iis.read());
assertEquals(0x2012, iis.getStreamPosition());
}
}

BIN
imageio/imageio-jpeg/src/test/resources/broken-jpeg/513f29d0-02a8-11e7-9756-6035edb96e79.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 8.0 KiB

BIN
imageio/imageio-jpeg/src/test/resources/broken-jpeg/51432b02-02a8-11e7-9203-b42b1c43c0c3.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.6 KiB

BIN
imageio/imageio-jpeg/src/test/resources/broken-jpeg/5145e95a-02a8-11e7-8372-4787a7307ab8.jpg Normal file
View File

Binary file not shown.

BIN
imageio/imageio-jpeg/src/test/resources/broken-jpeg/514b20dc-02a8-11e7-92c6-d4fed7b4ebb1.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.7 KiB

BIN
imageio/imageio-jpeg/src/test/resources/broken-jpeg/514c48ea-02a8-11e7-8789-bb75321f404f.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 232 B

BIN
imageio/imageio-jpeg/src/test/resources/broken-jpeg/514e4122-02a8-11e7-8c03-0830d60cd585.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.6 KiB

BIN
imageio/imageio-jpeg/src/test/resources/broken-jpeg/515e763c-02a8-11e7-85fb-573b41201f05.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.9 KiB

BIN
imageio/imageio-jpeg/src/test/resources/broken-jpeg/516c2778-02a8-11e7-9d50-e916ce831200.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 8.0 KiB

55
imageio/imageio-metadata/src/main/java/com/twelvemonkeys/imageio/metadata/jpeg/JPEGSegmentUtil.java
View File

@ -165,6 +165,7 @@ public final class JPEGSegmentUtil {
// int trash = 0;
int marker = stream.readUnsignedByte();
while (!isKnownJPEGMarker(marker)) {
// Skip trash padding before the marker
while (marker != 0xff) {
marker = stream.readUnsignedByte();
@ -182,6 +183,7 @@ public final class JPEGSegmentUtil {
while (marker == 0xffff) {
marker = 0xff00 | stream.readUnsignedByte();
}
}
if ((marker >> 8 & 0xff) != 0xff) {
throw new IIOException(String.format("Bad marker: %04x", marker));
@ -192,7 +194,7 @@ public final class JPEGSegmentUtil {
byte[] data;
if (segmentIdentifiers.containsKey(marker)) {
data = new byte[length - 2];
data = new byte[Math.max(0, length - 2)];
stream.readFully(data);
}
else {
@ -218,6 +220,57 @@ public final class JPEGSegmentUtil {
return new JPEGSegment(marker, data, length);
}
public static boolean isKnownJPEGMarker(final int marker) {
switch (marker) {
case JPEG.SOI:
case JPEG.EOI:
case JPEG.DHT:
case JPEG.SOS:
case JPEG.DQT:
case JPEG.COM:
case JPEG.SOF0:
case JPEG.SOF1:
case JPEG.SOF2:
case JPEG.SOF3:
case JPEG.SOF5:
case JPEG.SOF6:
case JPEG.SOF7:
case JPEG.SOF9:
case JPEG.SOF10:
case JPEG.SOF11:
case JPEG.SOF13:
case JPEG.SOF14:
case JPEG.SOF15:
case JPEG.SOF55:
case JPEG.APP0:
case JPEG.APP1:
case JPEG.APP2:
case JPEG.APP3:
case JPEG.APP4:
case JPEG.APP5:
case JPEG.APP6:
case JPEG.APP7:
case JPEG.APP8:
case JPEG.APP9:
case JPEG.APP10:
case JPEG.APP11:
case JPEG.APP12:
case JPEG.APP13:
case JPEG.APP14:
case JPEG.APP15:
case JPEG.DRI:
case JPEG.TEM:
case JPEG.DAC:
case JPEG.DHP:
case JPEG.DNL:
case JPEG.EXP:
case JPEG.LSE:
return true;
default:
return false;
}
}
private static class AllIdsList extends ArrayList<String> {
@Override
public String toString() {