[OpenJDK 2D-Dev]  RFR JDK-8190332: PngReader throws NegativeArraySizeException/OOM error when IHDR width is very large
Jayathirth D V
jayathirth.d.v at oracle.com
Tue Nov 14 10:14:25 UTC 2017
Thanks for the review Phil and Prahalad.
Based on the suggestions I have updated the code to wrap underlying Exception/Error in IIOException instead of overriding the message content and removed the check for IndexOutOfBoundsException.
Corresponding test case changes are also done.
Please find updated webrev for review:
From: Phil Race
Sent: Tuesday, November 14, 2017 12:06 AM
To: Jayathirth D V; 2d-dev
Subject: Re: [OpenJDK 2D-Dev]  RFR JDK-8190332: PngReader throws NegativeArraySizeException/OOM error when IHDR width is very large
1676 IndexOutOfBoundsException |
IndexOutOfBoundsException is a specified exception but as such is thrown outside this try block
so I think you should not re-throw it here but should let it be handled by the block below.
throw new IIOException("BufferOverflow/OOM while reading"
1683 + " the image");
Whilst that's the issue here I think this message will look quite odd
if what we actually had thrown is something like ClassCastException so
I think you should leave it to the underlying exception to report the issue.
Also I had said to wrap the original exception, so what I expected was
throw new IIOException("Caught exception during read: ", e);
On 11/13/2017 01:23 AM, Jayathirth D V wrote:
Please review the following fix in JDK10 :
Bug : https://bugs.openjdk.java.net/browse/JDK-8190332
Webrev : HYPERLINK "http://cr.openjdk.java.net/%7Ejdv/8190332/webrev.00/"http://cr.openjdk.java.net/~jdv/8190332/webrev.00/
Two types of issues are fixed under the same solution, so HYPERLINK "https://bugs.openjdk.java.net/browse/JDK-8190511"JDK-8190511 is closed as duplicate of this issue.
1) PNGImageReader throws OOM error when IHDR width equals/or greater than VM's array size limit.
2) PNGImageReader throws NegativeArraySizeException when IHDR width value is very high.
Root cause :
1) VM doesn't allow creation of array with Size >= ((2 to the power of 31) - 2) so we throw OOM error.
2) We use width from IHDR to calculate needed "bytesPerRow" value as "(inputBands*passWidth*bitDepth + 7)/8". When IHDR width is very high we overflow the integer size of bytesPerRow and when we try to create array using bytesPerRow it throws NegativeArraySizeException.
According to PNG spec maximum value that can be stored in IHDR width/height is (2 to the power of 31). We can't support PNG images with so large height/width, because based on other parameters like inputsBands, bitDepth we will definitely overflow than the maximum buffer value of VM. Also PNG is not a preferred format for such kind of large images.
Instead of catching these OOMError/NegativeArraySizeException at many different levels in PNGImageReader we can catch Throwable at higher level and convert OOMError/ NegativeArraySizeException into IIOException.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the 2d-dev