RFR: 8160327: Support for thumbnails present in APP1 marker for JPEG [v8]
Jeremy
duke at openjdk.org
Mon Mar 3 22:51:11 UTC 2025
On Mon, 3 Mar 2025 21:14:47 GMT, Kevin Rushforth <kcr at openjdk.org> wrote:
>> Jeremy has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains 31 additional commits since the last revision:
>>
>> - Merge branch 'master' into JDK-8160327
>> - Merge branch 'openjdk:master' into master
>> - Revert "8160327: trying to placate PR script"
>>
>> This reverts commit 52cf81f49a61d80c473b69e4a504eeb1d03c38a3.
>> - 8160327: trying to placate PR script
>>
>> The github script still classifies two of the sample jpgs as executable files, which it classifies as errors.
>> - 8160327: trying to placate PR script
>>
>> Some github script is concluding:
>> ```
>> Errors
>> ⚠️ Executable files are not allowed (file: test/jdk/javax/imageio/plugins/jpeg/JpegExifThumbnail/jfif_and_exif.jpg)
>> ⚠️ Executable files are not allowed (file: test/jdk/javax/imageio/plugins/jpeg/JpegExifThumbnail/malicious_looping_IFD.jpg)
>> ```
>>
>> I'm trying to figure what separates these files from the other JPGs. Maybe I need to use hyphens instead of underscores...? Let's check.
>> - 8160327: replacing the "sony-d700" image
>>
>> The origins of that image were unknown, so we weren't sure if we had the rights to store it in the OpenJDK repo.
>>
>> I couldn't figure out how to create this kind of uncompressed thumbnail from an image editing app, so I spliced this new file together manually in a hex editor using the sony-d700 image as a blueprint.
>> - 8160327: fix looping ImageFileDirectory vulnerability
>>
>> There was a `while` loop that someone could exploit to loop infinitely. Now we read exactly 2 iterations and stop.
>> - 8160327: remove bug ID from image file names
>>
>> Now the bug ID is mentioned in their parent directory name.
>>
>> This is in response to:
>> https://github.com/openjdk/jdk/pull/22898#issuecomment-2675396159
>> - 8160327: replace image of unknown origin with my own image
>> - 8160327: alphabetize imports
>>
>> This is in response to:
>> https://github.com/openjdk/jdk/pull/22898#discussion_r1956718373
>> - ... and 21 more: https://git.openjdk.org/jdk/compare/5af1de32...b70b0802
>
> Btw, two of the files are executable. To fix this: `chmod 644 file [file ...]` and then commit the change in file permission.
@kevinrushforth thanks, the executable error doesn't appear now.
I merged and double-checked that all imageio.* tests pass on my M2 Mac.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/22898#issuecomment-2695742275
More information about the client-libs-dev
mailing list