RFR: 8160327: Support for thumbnails present in APP1 marker for JPEG [v8]

Kevin Rushforth kcr at openjdk.org
Mon Mar 3 21:17:07 UTC 2025 

On Mon, 3 Mar 2025 21:13:18 GMT, Jeremy <duke at openjdk.org> wrote:

>> This adds support for parsing thumbnails in an APP1 Exif marker.
>> 
>> This builds on an unfinished proposal by Brian Burkhalter (around 2016). In that previous work the only additional meta info he parsed was the image creation time; this PR similarly includes the same property. (I can't speak to why he included that property, but it looks like he has a lot of experience with ImageIO so I trust his judgment.)
>> 
>> ~~The test addresses the original images attached to the ticket plus a few extra images I found on my computer that include unusual properties. (Possibly those images are malformed, but if they exist in the wild and other platforms support them then I'd prefer to support them too.)~~
>> 
>> The images used in this test are contributed by Brian and me.
>
> Jeremy has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains 31 additional commits since the last revision:
> 
>  - Merge branch 'master' into JDK-8160327
>  - Merge branch 'openjdk:master' into master
>  - Revert "8160327: trying to placate PR script"
>    
>    This reverts commit 52cf81f49a61d80c473b69e4a504eeb1d03c38a3.
>  - 8160327: trying to placate PR script
>    
>    The github script still classifies two of the sample jpgs as executable files, which it classifies as errors.
>  - 8160327: trying to placate PR script
>    
>    Some github script is concluding:
>    ```
>    Errors
>     ⚠️ Executable files are not allowed (file: test/jdk/javax/imageio/plugins/jpeg/JpegExifThumbnail/jfif_and_exif.jpg)
>     ⚠️ Executable files are not allowed (file: test/jdk/javax/imageio/plugins/jpeg/JpegExifThumbnail/malicious_looping_IFD.jpg)
>    ```
>    
>    I'm trying to figure what separates these files from the other JPGs. Maybe I need to use hyphens instead of underscores...? Let's check.
>  - 8160327: replacing the "sony-d700" image
>    
>    The origins of that image were unknown, so we weren't sure if we had the rights to store it in the OpenJDK repo.
>    
>    I couldn't figure out how to create this kind of uncompressed thumbnail from an image editing app, so I spliced this new file together manually in a hex editor using the sony-d700 image as a blueprint.
>  - 8160327: fix looping ImageFileDirectory vulnerability
>    
>    There was a `while` loop that someone could exploit to loop infinitely. Now we read exactly 2 iterations and stop.
>  - 8160327: remove bug ID from image file names
>    
>    Now the bug ID is mentioned in their parent directory name.
>    
>    This is in response to:
>    https://github.com/openjdk/jdk/pull/22898#issuecomment-2675396159
>  - 8160327: replace image of unknown origin with my own image
>  - 8160327: alphabetize imports
>    
>    This is in response to:
>    https://github.com/openjdk/jdk/pull/22898#discussion_r1956718373
>  - ... and 21 more: https://git.openjdk.org/jdk/compare/caf53b2e...b70b0802

Btw, two of the files are executable. To fix this: `chmod 644 file [file ...]` and then commit the change in file permission.

-------------

PR Comment: https://git.openjdk.org/jdk/pull/22898#issuecomment-2695550383

More information about the client-libs-dev mailing list