[OpenJDK 2D-Dev] RFR JDK-8191174: PngReader throws IllegalArgumentException because ScanlineStride calculation logic is not proper
Jayathirth D V
jayathirth.d.v at oracle.com
Thu Dec 28 10:12:49 UTC 2017
Thanks for your valuable inputs.
Even though the fix resolves the issue for the particular test case we have it will not solve the buffer overflow problem as you have mentioned in highest limit case or many other cases where the computed value is very high.
Also we cannot change datatype of bytesPerRow/eltsPerRow as they are used in many passed to many other Raster and Stream API's. The best approach to resolve this issue would be to wrap the Exception that we are getting while creating Raster/SampleModel into an IIOException as we have done in https://bugs.openjdk.java.net/browse/JDK-8190332 . By doing this we will abide by specification and also we will have complete stack of why we got the exception so that it can be debugged properly in future.
Please find updated webrev for review:
From: Prahalad Kumar Narayanan
Sent: Tuesday, December 19, 2017 3:08 PM
To: Jayathirth D V; 2d-dev
Subject: RE: [OpenJDK 2D-Dev] RFR JDK-8191174: PngReader throws IllegalArgumentException because ScanlineStride calculation logic is not proper
Good day to you.
I don't think it's possible to fix this issue despite having intermediate " long " variable to hold intermediate bits per pixel.
Here is a simple math that considers the worst case scenario with max values:
. As per the PNG specification, the maximum permissible width, number of bands, bit-depth are as follows-
max_width : (2 ^ 31) - 1 = 2147483647
max_input_bands = 4
max_bit_depth = 16 (2 Bytes)
. As per the logic proposed in the fix, the intermediate bits per row would fit into a "long" variable but bytes per pixel would not fit into "int" variable.
// Fits into "long" data type
max_bits_per_row = max_width * max_input_bands * max_bit_depth
= 2147483647 x 4 x 16
// Does not fit into "int" data type
max_bytes_per_row = max_bits_per_row + 7 / 8
= (0x 3FFFFFFF8 - Goes beyond 4B boundary)
// Upon division by 2 for 16-bit images
max_elts_per_row = max_bytes_per_row / 2
= (0x 1FFFFFFFC - Goes beyond 4B boundary)
. If we intend to store bytes per row (and eltsPerRow which is scanline stride) in a "long" variable, the same cannot be sent to Raster APIs because the APIs accept "int" type for scanline stride in arguments list.
Going by the Raster APIs used in PNGImageReader, a proper fix would require changes to its APIs as well to handle such large scanline stride values.
Have a good day
----- Original Message -----
From: Jayathirth D V
Sent: Thursday, December 14, 2017 1:48 PM
Subject: [OpenJDK 2D-Dev] RFR JDK-8191174: PngReader throws IllegalArgumentException because ScanlineStride calculation logic is not proper
Please review the following fix in JDK :
Bug : https://bugs.openjdk.java.net/browse/JDK-8191174
Webrev : http://cr.openjdk.java.net/~jdv/8191174/webrev.00/
Issue : When we try to read PNG image with large width we throw undocumented IllegalArgumentException with message "Pixel stride times width must be less than or equal to the scanline stride".
Exception in thread "main" java.lang.IllegalArgumentException: Pixel stride times width must be less than or equal to the scanline stride
Root cause : We use large width present in IHDR and calculate elements per row which is passed as scanlinestride for creating the required raster and its corresponding sample model. When the call reaches creation of PixelInterleavedSampleModel it checks the condition of (pixelStride * w) > scanlineStride. Since in our case we pass this condition it throws IllegalArgumentException. We have invalid scanlineStride value because when we calculate elements per row/bytes per row value in PNGImageReader the integer variable buffer is overflowed and we maintain invalid value for bytesPerRow.
Solution : We can maintain the intermediate bitsPerRow value in long datatype and calculate bytesPerRow using the long value and then typecast it to int bytesPerRow variable. By doing this we will maintain the required scanlineStride/eltsPerRow value properly. After this solution we will throw proper IIOException because of changes present in JDK-8190332 and not the undocumented IllegalArgumentException.
More information about the 2d-dev