RFR: 8160327: Support for thumbnails present in APP1 marker for JPEG [v8]

Jeremy duke at openjdk.org
Mon Mar 3 22:51:11 UTC 2025 

On Mon, 3 Mar 2025 21:14:47 GMT, Kevin Rushforth <kcr at openjdk.org> wrote:

>> Jeremy has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains 31 additional commits since the last revision:
>> 
>>  - Merge branch 'master' into JDK-8160327
>>  - Merge branch 'openjdk:master' into master
>>  - Revert "8160327: trying to placate PR script"
>>    
>>    This reverts commit 52cf81f49a61d80c473b69e4a504eeb1d03c38a3.
>>  - 8160327: trying to placate PR script
>>    
>>    The github script still classifies two of the sample jpgs as executable files, which it classifies as errors.
>>  - 8160327: trying to placate PR script
>>    
>>    Some github script is concluding:
>>    ```
>>    Errors
>>     ⚠️ Executable files are not allowed (file: test/jdk/javax/imageio/plugins/jpeg/JpegExifThumbnail/jfif_and_exif.jpg)
>>     ⚠️ Executable files are not allowed (file: test/jdk/javax/imageio/plugins/jpeg/JpegExifThumbnail/malicious_looping_IFD.jpg)
>>    ```
>>    
>>    I'm trying to figure what separates these files from the other JPGs. Maybe I need to use hyphens instead of underscores...? Let's check.
>>  - 8160327: replacing the "sony-d700" image
>>    
>>    The origins of that image were unknown, so we weren't sure if we had the rights to store it in the OpenJDK repo.
>>    
>>    I couldn't figure out how to create this kind of uncompressed thumbnail from an image editing app, so I spliced this new file together manually in a hex editor using the sony-d700 image as a blueprint.
>>  - 8160327: fix looping ImageFileDirectory vulnerability
>>    
>>    There was a `while` loop that someone could exploit to loop infinitely. Now we read exactly 2 iterations and stop.
>>  - 8160327: remove bug ID from image file names
>>    
>>    Now the bug ID is mentioned in their parent directory name.
>>    
>>    This is in response to:
>>    https://github.com/openjdk/jdk/pull/22898#issuecomment-2675396159
>>  - 8160327: replace image of unknown origin with my own image
>>  - 8160327: alphabetize imports
>>    
>>    This is in response to:
>>    https://github.com/openjdk/jdk/pull/22898#discussion_r1956718373
>>  - ... and 21 more: https://git.openjdk.org/jdk/compare/5af1de32...b70b0802
>
> Btw, two of the files are executable. To fix this: `chmod 644 file [file ...]` and then commit the change in file permission.

@kevinrushforth thanks, the executable error doesn't appear now.

I merged and double-checked that all imageio.* tests pass on my M2 Mac.

-------------

PR Comment: https://git.openjdk.org/jdk/pull/22898#issuecomment-2695742275

More information about the client-libs-dev mailing list