diff --git a/src/share/classes/com/sun/imageio/plugins/jpeg/MarkerSegment.java b/src/share/classes/com/sun/imageio/plugins/jpeg/MarkerSegment.java index fd8d1cd53c10e77a9c7f692c603811ae36d4547e..f38e30f3ae8d7d3b15cf71b4a53366220fcd3e3e 100644 --- a/src/share/classes/com/sun/imageio/plugins/jpeg/MarkerSegment.java +++ b/src/share/classes/com/sun/imageio/plugins/jpeg/MarkerSegment.java @@ -28,6 +28,7 @@ package com.sun.imageio.plugins.jpeg; import javax.imageio.metadata.IIOInvalidTreeException; import javax.imageio.metadata.IIOMetadataNode; import javax.imageio.stream.ImageOutputStream; +import javax.imageio.IIOException; import java.io.IOException; @@ -60,6 +61,10 @@ class MarkerSegment implements Cloneable { length = (buffer.buf[buffer.bufPtr++] & 0xff) << 8; length |= buffer.buf[buffer.bufPtr++] & 0xff; length -= 2; // JPEG length includes itself, we don't + + if (length < 0) { + throw new IIOException("Invalid segment length: " + length); + } buffer.bufAvail -= 3; // Now that we know the true length, ensure that we've got it, // or at least a bufferful if length is too big. diff --git a/src/share/classes/com/sun/imageio/plugins/jpeg/SOFMarkerSegment.java b/src/share/classes/com/sun/imageio/plugins/jpeg/SOFMarkerSegment.java index c1359e7b09dee3cb1cde8fac609b3a1fa1073b2c..904fa73777c89df30e36244577a95f70900c93df 100644 --- a/src/share/classes/com/sun/imageio/plugins/jpeg/SOFMarkerSegment.java +++ b/src/share/classes/com/sun/imageio/plugins/jpeg/SOFMarkerSegment.java @@ -78,7 +78,7 @@ class SOFMarkerSegment extends MarkerSegment { numLines |= buffer.buf[buffer.bufPtr++] & 0xff; samplesPerLine = (buffer.buf[buffer.bufPtr++] & 0xff) << 8; samplesPerLine |= buffer.buf[buffer.bufPtr++] & 0xff; - int numComponents = buffer.buf[buffer.bufPtr++]; + int numComponents = buffer.buf[buffer.bufPtr++] & 0xff; componentSpecs = new ComponentSpec [numComponents]; for (int i = 0; i < numComponents; i++) { componentSpecs[i] = new ComponentSpec(buffer);