#595 Avoid infinite loop on corrupted JPEG stream

(cherry picked from commit ba0bb7b)
haraldk · Mar 8, 2021 · af0a388 · af0a388
1 parent 6acdfd3
commit af0a388
Show file tree

Hide file tree

Showing 5 changed files with 67 additions and 15 deletions.
diff --git a/...io/imageio-jpeg/src/main/java/com/twelvemonkeys/imageio/plugins/jpeg/JPEGImageReader.java b/...io/imageio-jpeg/src/main/java/com/twelvemonkeys/imageio/plugins/jpeg/JPEGImageReader.java
@@ -178,19 +178,7 @@ public String getFormatName() throws IOException {
     private boolean isLossless() throws IOException {
         assertInput();
 
-        try {
-            if (getSOF().marker == JPEG.SOF3) {
-                return true;
-            }
-        }
-        catch (IIOException e) {
-            // May happen if no SOF is found, in case we'll just fall through
-            if (DEBUG) {
-                e.printStackTrace();
-            }
-        }
-
-        return false;
+        return getSOF().marker == JPEG.SOF3;
     }
 
     @Override

diff --git a/...peg/src/main/java/com/twelvemonkeys/imageio/plugins/jpeg/JPEGSegmentImageInputStream.java b/...peg/src/main/java/com/twelvemonkeys/imageio/plugins/jpeg/JPEGSegmentImageInputStream.java
@@ -572,12 +572,17 @@ public void seek(final ImageInputStream stream, final long newPos) throws IOExce
 
         @Override
         public int read(final ImageInputStream stream) {
-            return data[pos++] & 0xff;
+            return data.length > pos ? data[pos++] & 0xff : -1;
         }
 
         @Override
         public int read(final ImageInputStream stream, byte[] b, int off, int len) {
-            int length = Math.min(data.length - pos, len);
+            int dataLeft = data.length - pos;
+            if (dataLeft <= 0) {
+                return -1;
+            }
+
+            int length = Math.min(dataLeft, len);
             System.arraycopy(data, pos, b, off, length);
             pos += length;
 

diff --git a/...mageio-jpeg/src/test/java/com/twelvemonkeys/imageio/plugins/jpeg/JPEGImageReaderTest.java b/...mageio-jpeg/src/test/java/com/twelvemonkeys/imageio/plugins/jpeg/JPEGImageReaderTest.java
@@ -61,6 +61,8 @@
 import java.util.*;
 
 import static com.twelvemonkeys.imageio.util.IIOUtil.lookupProviderByName;
+import static org.hamcrest.CoreMatchers.allOf;
+import static org.hamcrest.CoreMatchers.containsString;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.junit.Assert.*;
 import static org.junit.Assume.assumeNoException;
@@ -1959,4 +1961,36 @@ public void testReadEmptyICCProfile() throws IOException {
             reader.dispose();
         }
     }
+
+    @Test(timeout = 1000L)
+    public void testInfiniteLoopCorrupt() throws IOException {
+        ImageReader reader = createReader();
+
+        try (ImageInputStream iis = ImageIO.createImageInputStream(getClassLoaderResource("/broken-jpeg/110115680-6d6dce80-7d84-11eb-99df-4cb21df3b09f.jpeg"))) {
+            reader.setInput(iis);
+
+            try {
+                reader.read(0, null);
+            }
+            catch (IIOException expected) {
+                assertThat(expected.getMessage(), allOf(containsString("SOF"), containsString("stream")));
+            }
+        }
+    }
+
+    @Test(timeout = 1000L)
+    public void testInfiniteLoopCorruptRaster() throws IOException {
+        ImageReader reader = createReader();
+
+        try (ImageInputStream iis = ImageIO.createImageInputStream(getClassLoaderResource("/broken-jpeg/110115680-6d6dce80-7d84-11eb-99df-4cb21df3b09f.jpeg"))) {
+            reader.setInput(iis);
+
+            try {
+                reader.readRaster(0, null);
+            }
+            catch (IIOException expected) {
+                assertThat(expected.getMessage(), allOf(containsString("SOF"), containsString("stream")));
+            }
+        }
+    }
 }
diff --git a/...src/test/java/com/twelvemonkeys/imageio/plugins/jpeg/JPEGSegmentImageInputStreamTest.java b/...src/test/java/com/twelvemonkeys/imageio/plugins/jpeg/JPEGSegmentImageInputStreamTest.java
@@ -228,4 +228,29 @@ public void testEOFExceptionInSegmentParsingShouldNotCreateBadState() throws IOE
         assertEquals(-1, iis.read());
         assertEquals(0x2012, iis.getStreamPosition());
     }
+
+
+    @Test(timeout = 1000L)
+    public void testInfiniteLoopCorrupt() throws IOException {
+        try (ImageInputStream stream = new JPEGSegmentImageInputStream(ImageIO.createImageInputStream(getClassLoaderResource("/broken-jpeg/110115680-6d6dce80-7d84-11eb-99df-4cb21df3b09f.jpeg")))) {
+            long length = 0;
+            while (stream.read() != -1) {
+                length++;
+            }
+
+            assertEquals(25504L, length); // Sanity check: same as file size, except..?
+        }
+
+        try (ImageInputStream stream = new JPEGSegmentImageInputStream(ImageIO.createImageInputStream(getClassLoaderResource("/broken-jpeg/110115680-6d6dce80-7d84-11eb-99df-4cb21df3b09f.jpeg")))) {
+            long length = 0;
+            byte[] buffer = new byte[1024];
+            int read;
+            while ((read = stream.read(buffer)) != -1) {
+                length += read;
+            }
+
+            assertEquals(25504L, length); // Sanity check: same as file size, except..?
+        }
+    }
 }
+
diff --git a/.../test/resources/broken-jpeg/110115680-6d6dce80-7d84-11eb-99df-4cb21df3b09f.jpeg b/.../test/resources/broken-jpeg/110115680-6d6dce80-7d84-11eb-99df-4cb21df3b09f.jpeg