7058611: JPG parser bugs found via zzuf fuzzing

Reviewed-by: prr, vadim

7058611: JPG parser bugs found via zzuf fuzzing
Reviewed-by: prr, vadim
348a6f61 · bae · c3c52055 · 348a6f61 · 348a6f61
2 changed file
--- a/src/share/classes/com/sun/imageio/plugins/jpeg/MarkerSegment.java
+++ b/src/share/classes/com/sun/imageio/plugins/jpeg/MarkerSegment.java
@@ -28,6 +28,7 @@ package com.sun.imageio.plugins.jpeg;
 import javax.imageio.metadata.IIOInvalidTreeException;
 import javax.imageio.metadata.IIOMetadataNode;
 import javax.imageio.stream.ImageOutputStream;
+import javax.imageio.IIOException;

 import java.io.IOException;

@@ -60,6 +61,10 @@ class MarkerSegment implements Cloneable {
        length = (buffer.buf[buffer.bufPtr++] & 0xff) << 8;
        length |= buffer.buf[buffer.bufPtr++] & 0xff;
        length -= 2;  // JPEG length includes itself, we don't
+
+        if (length < 0) {
+            throw new IIOException("Invalid segment length: " + length);
+        }
        buffer.bufAvail -= 3;
        // Now that we know the true length, ensure that we've got it,
        // or at least a bufferful if length is too big.

--- a/src/share/classes/com/sun/imageio/plugins/jpeg/SOFMarkerSegment.java
+++ b/src/share/classes/com/sun/imageio/plugins/jpeg/SOFMarkerSegment.java
@@ -78,7 +78,7 @@ class SOFMarkerSegment extends MarkerSegment {
        numLines |= buffer.buf[buffer.bufPtr++] & 0xff;
        samplesPerLine = (buffer.buf[buffer.bufPtr++] & 0xff) << 8;
        samplesPerLine |= buffer.buf[buffer.bufPtr++] & 0xff;
-        int numComponents = buffer.buf[buffer.bufPtr++];
+        int numComponents = buffer.buf[buffer.bufPtr++] & 0xff;
        componentSpecs = new ComponentSpec [numComponents];
        for (int i = 0; i < numComponents; i++) {
            componentSpecs[i] = new ComponentSpec(buffer);