#488: Fix for AIOOBE in getEmbeddedICCProfile when ICC profile is empty

2025-08-03 11:35:29 -04:00 · 2019-08-07 16:18:01 +02:00 · 2019-08-07 16:18:01 +02:00 · ee049d9465
commit ee049d9465
parent f6aa810f8b
3 changed files with 33 additions and 9 deletions
--- a/imageio/imageio-jpeg/src/main/java/com/twelvemonkeys/imageio/plugins/jpeg/JPEGImageReader.java
+++ b/imageio/imageio-jpeg/src/main/java/com/twelvemonkeys/imageio/plugins/jpeg/JPEGImageReader.java
@ -932,7 +932,7 @@ public final class JPEGImageReader extends ImageReaderBase {
        return data;
    }

-    protected ICC_Profile getEmbeddedICCProfile(final boolean allowBadIndexes) throws IOException {
+    ICC_Profile getEmbeddedICCProfile(final boolean allowBadIndexes) throws IOException {
        // ICC v 1.42 (2006) annex B:
        // APP2 marker (0xFFE2) + 2 byte length + ASCII 'ICC_PROFILE' + 0 (termination)
        // + 1 byte chunk number + 1 byte chunk count (allows ICC profiles chunked in multiple APP2 segments)
@ -956,8 +956,9 @@ public final class JPEGImageReader extends ImageReaderBase {
                return null;
            }

-            int iccChunkDataSize = segment.data.length - segment.identifier.length() - 3; // ICC_PROFILE + null + chunk number + count
-            int iccSize = intFromBigEndian(segment.data, segment.identifier.length() + 3);
+            int segmentDataStart = segment.identifier.length() + 3; // ICC_PROFILE + null + chunk number + count
+            int iccChunkDataSize = segment.data.length - segmentDataStart;
+            int iccSize = segment.data.length < segmentDataStart + 4 ? 0 : intFromBigEndian(segment.data, segmentDataStart);

            return readICCProfileSafe(stream, allowBadIndexes, iccSize, iccChunkDataSize);
        }
@ -1010,9 +1011,10 @@ public final class JPEGImageReader extends ImageReaderBase {
                int index = badICC ? i : chunkNumber - 1;
                streams[index] = stream;

-                iccChunkDataSize += segment.data.length - segment.identifier.length() - 3;
+                int segmentDataStart = segment.identifier.length() + 3; // ICC_PROFILE + null + chunk number + count
+                iccChunkDataSize += segment.data.length - segmentDataStart;
                if (index == 0) {
-                    iccSize = intFromBigEndian(segment.data, segment.identifier.length() + 3);
+                    iccSize = intFromBigEndian(segment.data, segmentDataStart);
                }
            }

--- a/imageio/imageio-jpeg/src/test/java/com/twelvemonkeys/imageio/plugins/jpeg/JPEGImageReaderTest.java
+++ b/imageio/imageio-jpeg/src/test/java/com/twelvemonkeys/imageio/plugins/jpeg/JPEGImageReaderTest.java
@ -56,8 +56,8 @@ import java.awt.color.ICC_Profile;
 import java.awt.image.BufferedImage;
 import java.awt.image.DataBufferByte;
 import java.io.*;
-import java.util.*;
 import java.util.List;
+import java.util.*;

 import static com.twelvemonkeys.imageio.util.IIOUtil.lookupProviderByName;
 import static org.junit.Assert.*;
@ -1784,8 +1784,8 @@ public class JPEGImageReaderTest extends ImageReaderAbstractTest<JPEGImageReader
    public void testReadSequenceInverse() throws IOException {
        JPEGImageReader reader = createReader();

-        try {
-            reader.setInput(ImageIO.createImageInputStream(getClassLoaderResource("/jpeg/jfif-with-preview-as-second-image.jpg")));
+        try (ImageInputStream stream = ImageIO.createImageInputStream(getClassLoaderResource("/jpeg/jfif-with-preview-as-second-image.jpg"))) {
+            reader.setInput(stream);

            BufferedImage image = reader.read(1, null);

@ -1835,7 +1835,29 @@ public class JPEGImageReaderTest extends ImageReaderAbstractTest<JPEGImageReader
            assertNotNull(image);
            assertEquals(386, image.getWidth());
            assertEquals(396, image.getHeight());
-        } finally {
+        }
+        finally {
+            reader.dispose();
+        }
+    }
+
+    @Test
+    public void testReadEmptyICCProfile() throws IOException {
+        JPEGImageReader reader = createReader();
+
+        try (ImageInputStream stream = ImageIO.createImageInputStream(getClassLoaderResource("/jpeg/exif-empty-icc-profile.jpeg"))) {
+            reader.setInput(stream);
+
+            assertEquals(612, reader.getWidth(0));
+            assertEquals(816, reader.getHeight(0));
+
+            BufferedImage image = reader.read(0, null);
+
+            assertNotNull(image);
+            assertEquals(612, image.getWidth());
+            assertEquals(816, image.getHeight());
+        }
+        finally {
            reader.dispose();
        }
    }
--- a/imageio/imageio-jpeg/src/test/resources/jpeg/exif-empty-icc-profile.jpeg
+++ b/imageio/imageio-jpeg/src/test/resources/jpeg/exif-empty-icc-profile.jpeg