Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openanolis
dragonwell8_jdk
提交
a786fe0f
D
dragonwell8_jdk
项目概览
openanolis
/
dragonwell8_jdk
通知
4
Star
2
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
D
dragonwell8_jdk
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
a786fe0f
编写于
10月 10, 2013
作者:
B
bae
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
7058618: PNG parser bugs found via zzuf fuzzing
Reviewed-by: prr, vadim
上级
a429fb14
变更
1
隐藏空白更改
内联
并排
Showing
1 changed file
with
30 addition
and
1 deletion
+30
-1
src/share/classes/com/sun/imageio/plugins/png/PNGImageReader.java
...e/classes/com/sun/imageio/plugins/png/PNGImageReader.java
+30
-1
未找到文件。
src/share/classes/com/sun/imageio/plugins/png/PNGImageReader.java
浏览文件 @
a786fe0f
...
...
@@ -688,6 +688,21 @@ public class PNGImageReader extends ImageReader {
loop:
while
(
true
)
{
int
chunkLength
=
stream
.
readInt
();
int
chunkType
=
stream
.
readInt
();
int
chunkCRC
;
// verify the chunk length
if
(
chunkLength
<
0
)
{
throw
new
IIOException
(
"Invalid chunk lenght "
+
chunkLength
);
};
try
{
stream
.
mark
();
stream
.
seek
(
stream
.
getStreamPosition
()
+
chunkLength
);
chunkCRC
=
stream
.
readInt
();
stream
.
reset
();
}
catch
(
IOException
e
)
{
throw
new
IIOException
(
"Invalid chunk length "
+
chunkLength
);
}
switch
(
chunkType
)
{
case
IDAT_TYPE:
...
...
@@ -762,7 +777,11 @@ public class PNGImageReader extends ImageReader {
break
;
}
int
chunkCRC
=
stream
.
readInt
();
// double check whether all chunk data were consumed
if
(
chunkCRC
!=
stream
.
readInt
())
{
throw
new
IIOException
(
"Failed to read a chunk of type "
+
chunkType
);
}
stream
.
flushBefore
(
stream
.
getStreamPosition
());
}
}
catch
(
IOException
e
)
{
...
...
@@ -1277,6 +1296,16 @@ public class PNGImageReader extends ImageReader {
is
=
new
BufferedInputStream
(
is
);
this
.
pixelStream
=
new
DataInputStream
(
is
);
/*
* NB: the PNG spec declares that valid range for width
* and height is [1, 2^31-1], so here we may fail to allocate
* a buffer for destination image due to memory limitation.
*
* However, the recovery strategy for this case should be
* defined on the level of application, so we will not
* try to estimate the required amount of the memory and/or
* handle OOM in any way.
*/
theImage
=
getDestination
(
param
,
getImageTypes
(
0
),
width
,
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录