#645 AAIOBE in CCITTFaxDecoderStream now wrapped in IOException

(cherry picked from commit 3911191b04)
2025-10-04 11:26:44 -04:00 · 2021-12-11 17:48:57 +01:00
parent fdbbcc54a8
commit a39bca4d2f
3 changed files with 29 additions and 5 deletions
--- a/imageio/imageio-tiff/src/main/java/com/twelvemonkeys/imageio/plugins/tiff/CCITTFaxDecoderStream.java
+++ b/imageio/imageio-tiff/src/main/java/com/twelvemonkeys/imageio/plugins/tiff/CCITTFaxDecoderStream.java
@@ -30,14 +30,14 @@

 package com.twelvemonkeys.imageio.plugins.tiff;

+import com.twelvemonkeys.lang.Validate;
+
 import java.io.EOFException;
 import java.io.FilterInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.util.Arrays;

-import com.twelvemonkeys.lang.Validate;
-
 /**
 * CCITT Modified Huffman RLE, Group 3 (T4) and Group 4 (T6) fax compression.
 *
@@ -198,6 +198,10 @@ final class CCITTFaxDecoderStream extends FilterInputStream {
            try {
                decodeRow();
            }
+            catch (ArrayIndexOutOfBoundsException e) {
+                // Mask the AIOOBE as an IOException
+                throw new IOException("Malformed CCITT stream", e);
+            }
            catch (EOFException e) {
                // TODO: Rewrite to avoid throw/catch for normal flow...
                if (decodedLength != 0) {
--- a/imageio/imageio-tiff/src/test/java/com/twelvemonkeys/imageio/plugins/tiff/CCITTFaxDecoderStreamTest.java
+++ b/imageio/imageio-tiff/src/test/java/com/twelvemonkeys/imageio/plugins/tiff/CCITTFaxDecoderStreamTest.java
@@ -253,7 +253,7 @@ public class CCITTFaxDecoderStreamTest {
    @Test
    public void testDecodeMissingRows() throws IOException {
        // See https://github.com/haraldk/TwelveMonkeys/pull/225 and https://github.com/haraldk/TwelveMonkeys/issues/232
-        InputStream inputStream = getClass().getResourceAsStream("/tiff/ccitt_tolessrows.tif");
+        InputStream inputStream = getResourceAsStream("/tiff/ccitt_tolessrows.tif");

        // Skip until StripOffsets: 8
        for (int i = 0; i < 8; i++) {
@@ -299,7 +299,7 @@ public class CCITTFaxDecoderStreamTest {
    public void testMoreChangesThanColumnsFile() throws IOException {
        // See https://github.com/haraldk/TwelveMonkeys/issues/328
        // 26 changes on 24 columns: H0w1b, H1w1b, ..., H1w0b
-        InputStream stream = getClass().getResourceAsStream("/tiff/ccitt-too-many-changes.tif");
+        InputStream stream = getResourceAsStream("/tiff/ccitt-too-many-changes.tif");

        // Skip bytes before StripOffsets: 86
        for (int i = 0; i < 86; i++) {
@@ -336,7 +336,7 @@ public class CCITTFaxDecoderStreamTest {

    @Test
    public void testG3AOE() throws IOException {
-        InputStream inputStream = getClass().getResourceAsStream("/tiff/ccitt/g3aoe.tif");
+        InputStream inputStream = getResourceAsStream("/tiff/ccitt/g3aoe.tif");

        // Skip until StripOffsets: 8
        for (int i = 0; i < 8; i++) {
@@ -353,4 +353,17 @@ public class CCITTFaxDecoderStreamTest {
        byte[] bytes = new byte[216 * 1168]; // 1728 x 1168 pixel, 1 bpp => 216 bytes * 1168
        new DataInputStream(stream).readFully(bytes);
    }
+
+    @SuppressWarnings("StatementWithEmptyBody")
+    @Test(expected = IOException.class)
+    public void testAIOBEInCorruptStreamShouldThrowIOException() throws IOException {
+        // From #645
+        try (InputStream ccittFaxDecoderStream = new CCITTFaxDecoderStream(getResourceAsStream("/ccitt/645.ccitt"), 7, 4, 0, false)) {
+            while(ccittFaxDecoderStream.read() != -1); // Just read until the end
+        }
+    }
+
+    private InputStream getResourceAsStream(String name) {
+        return getClass().getResourceAsStream(name);
+    }
 }
--- a/imageio/imageio-tiff/src/test/resources/ccitt/645.ccitt
+++ b/imageio/imageio-tiff/src/test/resources/ccitt/645.ccitt
@@ -0,0 +1,7 @@
+<EFBFBD><EFBFBD><EFBFBD><EFBFBD>]L<><4C> H<><48>t\e<><65>G<EFBFBD>Dn0<6E><30>ܯ菑<DCAF><E88F91>#<23><08><><EFBFBD><EFBFBD><EFBFBD>GFtGG<11>m<11>|<7C><><EFBFBD><11><>6<1C><14>GD|<7C>
+N<EFBFBD>T<04>J<EFBFBD><4A>ф#<23><>1"<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>̒<EFBFBD><CC92><EFBFBD><14><>H!e<>"<22>4<EFBFBD>":DqC<>;#<23><><EFBFBD>B"&$<16><1D>@<40>|6)<11>&V{ <20><10>Aq<12>H<EFBFBD>!;<3B><><EFBFBD>P<EFBFBD><50>&8<><10>c<EFBFBD><63>"<22>$&<11>GD|<7C><>EZ(<28>#T<>^|[<5B>`<60>96<39><36>PP<50> <20><>Ė1<C496>?SHp<48>dq<64><71>,!<21>!<21><>#<23>A$ <20><>
+@<40><12>;r<><72>A<EFBFBD>DD<44><44>BvR
+<1C><>$C<><43>G<><47> @<40> <20>BVw	"c<>%<e~<7E><>(s<>1h<31><68><EFBFBD><EFBFBD>#/<11>Q.b0<62>$
+<EFBFBD>D<>8@<40>""<22>C<EFBFBD>t0<74>Y|<7C>t<EFBFBD><74><EFBFBD>ph$<24><><EFBFBD>;<3B>pAF
+<08>":<10>8<EFBFBD>А<><D090><04><18><>vĘ<76>8b<18><>ұ$9<><<14><><08>"
+<EFBFBD>qR<08><><EFBFBD><EFBFBD><<3C><>8<EFBFBD>q<EFBFBD><0B><>A28ˠ<38><CBA0>E<EFBFBD>EAP!a5<61>9<EFBFBD>Dq<44>FdG9NS<4E>1HJ<1C><>&<1C><>1<18>nM(DDB*<2A>H<EFBFBD><48><0E><>э<15><08><>H!)<29>>P<>>%<0E>3<EFBFBD><0C><>Ñ,Þ<>