From 348a6f61ef39e73537ed5bcbdb6b14eeff5cefb8 Mon Sep 17 00:00:00 2001
From: bae <unknown>
Date: Mon, 14 Oct 2013 16:00:03 +0400
Subject: [PATCH] 7058611: JPG parser bugs found via zzuf fuzzing Reviewed-by:
 prr, vadim

---
 .../classes/com/sun/imageio/plugins/jpeg/MarkerSegment.java  | 5 +++++
 .../com/sun/imageio/plugins/jpeg/SOFMarkerSegment.java       | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/share/classes/com/sun/imageio/plugins/jpeg/MarkerSegment.java b/src/share/classes/com/sun/imageio/plugins/jpeg/MarkerSegment.java
index fd8d1cd53..f38e30f3a 100644
--- a/src/share/classes/com/sun/imageio/plugins/jpeg/MarkerSegment.java
+++ b/src/share/classes/com/sun/imageio/plugins/jpeg/MarkerSegment.java
@@ -28,6 +28,7 @@ package com.sun.imageio.plugins.jpeg;
 import javax.imageio.metadata.IIOInvalidTreeException;
 import javax.imageio.metadata.IIOMetadataNode;
 import javax.imageio.stream.ImageOutputStream;
+import javax.imageio.IIOException;
 
 import java.io.IOException;
 
@@ -60,6 +61,10 @@ class MarkerSegment implements Cloneable {
         length = (buffer.buf[buffer.bufPtr++] & 0xff) << 8;
         length |= buffer.buf[buffer.bufPtr++] & 0xff;
         length -= 2;  // JPEG length includes itself, we don't
+
+        if (length < 0) {
+            throw new IIOException("Invalid segment length: " + length);
+        }
         buffer.bufAvail -= 3;
         // Now that we know the true length, ensure that we've got it,
         // or at least a bufferful if length is too big.
diff --git a/src/share/classes/com/sun/imageio/plugins/jpeg/SOFMarkerSegment.java b/src/share/classes/com/sun/imageio/plugins/jpeg/SOFMarkerSegment.java
index c1359e7b0..904fa7377 100644
--- a/src/share/classes/com/sun/imageio/plugins/jpeg/SOFMarkerSegment.java
+++ b/src/share/classes/com/sun/imageio/plugins/jpeg/SOFMarkerSegment.java
@@ -78,7 +78,7 @@ class SOFMarkerSegment extends MarkerSegment {
         numLines |= buffer.buf[buffer.bufPtr++] & 0xff;
         samplesPerLine = (buffer.buf[buffer.bufPtr++] & 0xff) << 8;
         samplesPerLine |= buffer.buf[buffer.bufPtr++] & 0xff;
-        int numComponents = buffer.buf[buffer.bufPtr++];
+        int numComponents = buffer.buf[buffer.bufPtr++] & 0xff;
         componentSpecs = new ComponentSpec [numComponents];
         for (int i = 0; i < numComponents; i++) {
             componentSpecs[i] = new ComponentSpec(buffer);
-- 
GitLab