src/share/classes/com/sun/imageio/plugins/png/PNGImageReader.java
Print this page
*** 662,671 ****
--- 662,677 ----
int colorType = metadata.IHDR_colorType;
if (ignoreMetadata && colorType != PNG_COLOR_PALETTE) {
try {
while (true) {
int chunkLength = stream.readInt();
+
+ // verify the chunk length first
+ if (chunkLength < 0 || chunkLength + 4 < 0) {
+ throw new IIOException("Invalid chunk length " + chunkLength);
+ }
+
int chunkType = stream.readInt();
if (chunkType == IDAT_TYPE) {
// We've reached the image data
stream.skipBytes(-8);
*** 690,700 ****
int chunkType = stream.readInt();
int chunkCRC;
// verify the chunk length
if (chunkLength < 0) {
! throw new IIOException("Invalid chunk lenght " + chunkLength);
};
try {
stream.mark();
stream.seek(stream.getStreamPosition() + chunkLength);
--- 696,706 ----
int chunkType = stream.readInt();
int chunkCRC;
// verify the chunk length
if (chunkLength < 0) {
! throw new IIOException("Invalid chunk length " + chunkLength);
};
try {
stream.mark();
stream.seek(stream.getStreamPosition() + chunkLength);