[OpenJDK 2D-Dev] [10] RFR JDK-8190332: PngReader throws NegativeArraySizeException/OOM error when IHDR width is very large

Prahalad Kumar Narayanan prahalad.kumar.narayanan at oracle.com
Mon Nov 13 10:06:50 UTC 2017

Hello Jay

Good day to you. I looked into the changes. 
Here are my views-

    . As per the code changes in the lines mentioned below, every "Throwable" (other than the 4 exceptions listed in the first catch block) is considered- "BufferOverflow/OOM".  This is incorrect.
          . Say for example, a future change to code within readImage method resulted in a NullPointerException, this would get incorrectly reported as- BufferOverflow/ OOM as per the changes.

    . Secondly, throwing one IIOException with a combined message will confuse the programmer- Was it OOM ? or was it BufferOverflow that caused the reader to exit ? 
          . If the intent is to process and throw IIOException with meaningful message, I believe, we should handle them separately and throw one IIOException for each with a suitable message.

    1675         } catch (IOException |
    1676                  IndexOutOfBoundsException |
    1677                  IllegalStateException |
    1678                  IllegalArgumentException e)
    1679         {
    1680             throw e;
    1681         } catch (Throwable e) {
    1682             throw new IIOException("BufferOverflow/OOM while reading"
    1683                     + " the image");
    1684         }

Have a good day


----- Original Message -----
From: Jayathirth D V 
Sent: Monday, November 13, 2017 2:53 PM
To: 2d-dev
Subject: [OpenJDK 2D-Dev] [10] RFR JDK-8190332: PngReader throws NegativeArraySizeException/OOM error when IHDR width is very large

Hello All,

Please review the following fix in JDK10 :

Bug : https://bugs.openjdk.java.net/browse/JDK-8190332 
Webrev : http://cr.openjdk.java.net/~jdv/8190332/webrev.00/ 

Issue : 
       Two types of issues are fixed under the same solution, so JDK-8190511 is closed as duplicate of this issue.
       1) PNGImageReader throws OOM error when IHDR width equals/or greater than VM's array size limit.
       2) PNGImageReader throws NegativeArraySizeException when IHDR width value is very high.

Root cause : 
1) VM doesn't allow creation of array with Size >= ((2 to the power of 31) - 2) so we throw OOM error.
2) We use width from IHDR to calculate needed "bytesPerRow" value as "(inputBands*passWidth*bitDepth + 7)/8". When IHDR width is very high we overflow the integer size of bytesPerRow and when we try to create array using bytesPerRow it throws NegativeArraySizeException.

Solution :
       According to PNG spec maximum value that can be stored in IHDR width/height is (2 to the power of 31). We can't support PNG images with so large height/width, because based on other parameters like inputsBands, bitDepth we will definitely           overflow than the maximum buffer value of VM. Also PNG is not a preferred format for such kind of large images.
                Instead of catching these OOMError/NegativeArraySizeException at many different levels in PNGImageReader we can catch Throwable at higher level and convert OOMError/ NegativeArraySizeException into IIOException.


More information about the 2d-dev mailing list