RFR: 8160327: Support for thumbnails present in APP1 marker for JPEG [v8]
Jeremy
duke at openjdk.org
Mon Mar 3 21:13:18 UTC 2025
> This adds support for parsing thumbnails in an APP1 Exif marker.
>
> This builds on an unfinished proposal by Brian Burkhalter (around 2016). In that previous work the only additional meta info he parsed was the image creation time; this PR similarly includes the same property. (I can't speak to why he included that property, but it looks like he has a lot of experience with ImageIO so I trust his judgment.)
>
> ~~The test addresses the original images attached to the ticket plus a few extra images I found on my computer that include unusual properties. (Possibly those images are malformed, but if they exist in the wild and other platforms support them then I'd prefer to support them too.)~~
>
> The images used in this test are contributed by Brian and me.
Jeremy has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains 31 additional commits since the last revision:
- Merge branch 'master' into JDK-8160327
- Merge branch 'openjdk:master' into master
- Revert "8160327: trying to placate PR script"
This reverts commit 52cf81f49a61d80c473b69e4a504eeb1d03c38a3.
- 8160327: trying to placate PR script
The github script still classifies two of the sample jpgs as executable files, which it classifies as errors.
- 8160327: trying to placate PR script
Some github script is concluding:
```
Errors
⚠️ Executable files are not allowed (file: test/jdk/javax/imageio/plugins/jpeg/JpegExifThumbnail/jfif_and_exif.jpg)
⚠️ Executable files are not allowed (file: test/jdk/javax/imageio/plugins/jpeg/JpegExifThumbnail/malicious_looping_IFD.jpg)
```
I'm trying to figure what separates these files from the other JPGs. Maybe I need to use hyphens instead of underscores...? Let's check.
- 8160327: replacing the "sony-d700" image
The origins of that image were unknown, so we weren't sure if we had the rights to store it in the OpenJDK repo.
I couldn't figure out how to create this kind of uncompressed thumbnail from an image editing app, so I spliced this new file together manually in a hex editor using the sony-d700 image as a blueprint.
- 8160327: fix looping ImageFileDirectory vulnerability
There was a `while` loop that someone could exploit to loop infinitely. Now we read exactly 2 iterations and stop.
- 8160327: remove bug ID from image file names
Now the bug ID is mentioned in their parent directory name.
This is in response to:
https://github.com/openjdk/jdk/pull/22898#issuecomment-2675396159
- 8160327: replace image of unknown origin with my own image
- 8160327: alphabetize imports
This is in response to:
https://github.com/openjdk/jdk/pull/22898#discussion_r1956718373
- ... and 21 more: https://git.openjdk.org/jdk/compare/5c43b70e...b70b0802
-------------
Changes:
- all: https://git.openjdk.org/jdk/pull/22898/files
- new: https://git.openjdk.org/jdk/pull/22898/files/52cf81f4..b70b0802
Webrevs:
- full: https://webrevs.openjdk.org/?repo=jdk&pr=22898&range=07
- incr: https://webrevs.openjdk.org/?repo=jdk&pr=22898&range=06-07
Stats: 252503 lines in 5866 files changed: 122075 ins; 103730 del; 26698 mod
Patch: https://git.openjdk.org/jdk/pull/22898.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/22898/head:pull/22898
PR: https://git.openjdk.org/jdk/pull/22898
More information about the client-libs-dev
mailing list