This is an automated email from the ASF dual-hosted git repository.
kinow pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-imaging.git
The following commit(s) were added to refs/heads/master by this push:
new 3103957 [IMAGING-318] Validate index when accessing GIF parser color
table
3103957 is described below
commit 310395799ed09a6b8848115b847bf0a49bc0ad45
Author: Bruno P. Kinoshita <ki...@apache.org>
AuthorDate: Sat Nov 6 18:11:58 2021 +1300
[IMAGING-318] Validate index when accessing GIF parser color table
---
src/changes/changes.xml | 3 +++
.../commons/imaging/formats/gif/GifImageParser.java | 3 +++
.../apache/commons/imaging/formats/gif/GifReadTest.java | 15 +++++++++++++++
...-testcase-minimized-ImagingGifFuzzer-5005192379629568 | Bin 0 -> 36 bytes
4 files changed, 21 insertions(+)
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index 34f3291..3691f17 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -165,6 +165,9 @@ The <action> type attribute can be add,update,fix,remove.
<action issue="IMAGING-317" dev="kinow" type="fix" due-to="OSS-Fuzz">
A PNG image using indexed color type but no PLTE chunks throws NPE.
</action>
+ <action issue="IMAGING-318" dev="kinow" type="fix" due-to="OSS-Fuzz">
+ Validate when accessing GIF color table array.
+ </action>
</release>
<release version="1.0-alpha2" date="2020-08-01" description="Second 1.0
alpha release">
<action issue="IMAGING-258" dev="kinow" type="update" due-to="Gary
Lucas">
diff --git
a/src/main/java/org/apache/commons/imaging/formats/gif/GifImageParser.java
b/src/main/java/org/apache/commons/imaging/formats/gif/GifImageParser.java
index 105db38..a8e6a3f 100644
--- a/src/main/java/org/apache/commons/imaging/formats/gif/GifImageParser.java
+++ b/src/main/java/org/apache/commons/imaging/formats/gif/GifImageParser.java
@@ -784,6 +784,9 @@ public class GifImageParser extends ImageParser implements
XmpEmbeddable {
throw new ImageReadException(String.format("Invalid GIF
image data length [%d], greater than the image data length [%d]",
id.imageData.length, width));
}
final int index = 0xff & id.imageData[counter++];
+ if (index >= colorTable.length) {
+ throw new ImageReadException(String.format("Invalid GIF
color table index [%d], greater than the color table length [%d]", index,
colorTable.length));
+ }
int rgb = colorTable[index];
if (transparentIndex == index) {
diff --git
a/src/test/java/org/apache/commons/imaging/formats/gif/GifReadTest.java
b/src/test/java/org/apache/commons/imaging/formats/gif/GifReadTest.java
index 00e2bfd..ea69a9e 100644
--- a/src/test/java/org/apache/commons/imaging/formats/gif/GifReadTest.java
+++ b/src/test/java/org/apache/commons/imaging/formats/gif/GifReadTest.java
@@ -182,4 +182,19 @@ public class GifReadTest extends GifBaseTest {
final GifImageParser parser = new GifImageParser();
assertThrows(ImageReadException.class, () ->
parser.getBufferedImage(new ByteSourceFile(new File(file)),
Collections.emptyMap()));
}
+
+ /**
+ * Test that invalid indexes are validated when accessing GIF color table
array.
+ *
+ * <p>See Google OSS Fuzz issue 34185</p>
+ *
+ * @throws IOException if it fails to read the test image
+ */
+ @Test
+ public void testUncaughtExceptionOssFuzz34185() throws IOException {
+ final String input =
"/images/gif/IMAGING-318/clusterfuzz-testcase-minimized-ImagingGifFuzzer-5005192379629568";
+ final String file = GifReadTest.class.getResource(input).getFile();
+ final GifImageParser parser = new GifImageParser();
+ assertThrows(ImageReadException.class, () ->
parser.getBufferedImage(new ByteSourceFile(new File(file)),
Collections.emptyMap()));
+ }
}
diff --git
a/src/test/resources/images/gif/IMAGING-318/clusterfuzz-testcase-minimized-ImagingGifFuzzer-5005192379629568
b/src/test/resources/images/gif/IMAGING-318/clusterfuzz-testcase-minimized-ImagingGifFuzzer-5005192379629568
new file mode 100644
index 0000000..4624bb5
Binary files /dev/null and
b/src/test/resources/images/gif/IMAGING-318/clusterfuzz-testcase-minimized-ImagingGifFuzzer-5005192379629568
differ
