[OpenJDK 2D-Dev] [10] RFR JDK-8190332: PngReader throws NegativeArraySizeException/OOM error when IHDR width is very large

Jayathirth D V jayathirth.d.v at oracle.com
Tue Nov 14 10:14:25 UTC 2017



Thanks for the review Phil and Prahalad.


Based on the suggestions I have updated the code to wrap underlying Exception/Error in IIOException instead of overriding the message content and removed the check for IndexOutOfBoundsException.

Corresponding test case changes are also done.


Please find updated webrev for review:






From: Phil Race 
Sent: Tuesday, November 14, 2017 12:06 AM
To: Jayathirth D V; 2d-dev
Subject: Re: [OpenJDK 2D-Dev] [10] RFR JDK-8190332: PngReader throws NegativeArraySizeException/OOM error when IHDR width is very large


1676                  IndexOutOfBoundsException |
IndexOutOfBoundsException is a specified exception but as such is thrown outside this try block
so I think you should not re-throw it here but should let it be handled by the block below.
  throw new IIOException("BufferOverflow/OOM while reading"
1683                     + " the image");
Whilst that's the issue here I think this message will look quite odd
if what we actually had thrown is something like ClassCastException so
I think you should leave it to the underlying exception to report the issue.
Also I had said to wrap the original exception, so what I expected was
throw new IIOException("Caught exception during read: ", e);


On 11/13/2017 01:23 AM, Jayathirth D V wrote:

Hello All,


Please review the following fix in JDK10 :


Bug : https://bugs.openjdk.java.net/browse/JDK-8190332 

Webrev : HYPERLINK "http://cr.openjdk.java.net/%7Ejdv/8190332/webrev.00/"http://cr.openjdk.java.net/~jdv/8190332/webrev.00/ 


Issue : 

Two types of issues are fixed under the same solution, so HYPERLINK "https://bugs.openjdk.java.net/browse/JDK-8190511"JDK-8190511 is closed as duplicate of this issue.

1) PNGImageReader throws OOM error when IHDR width equals/or greater than VM's array size limit.

2) PNGImageReader throws NegativeArraySizeException when IHDR width value is very high.


Root cause : 

1)      VM doesn't allow creation of array with Size >= ((2 to the power of 31) - 2) so we throw OOM error.

2)      We use width from IHDR to calculate needed "bytesPerRow" value as "(inputBands*passWidth*bitDepth + 7)/8". When IHDR width is very high we overflow the integer size of bytesPerRow and when we try to create array using bytesPerRow it throws NegativeArraySizeException.


Solution :

According to PNG spec maximum value that can be stored in IHDR width/height is (2 to the power of 31). We can't support PNG images with so large height/width, because based on other parameters like inputsBands, bitDepth we will definitely           overflow than the maximum buffer value of VM. Also PNG is not a preferred format for such kind of large images.

                Instead of catching these OOMError/NegativeArraySizeException at many different levels in PNGImageReader we can catch Throwable at higher level and convert OOMError/ NegativeArraySizeException into IIOException.





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/2d-dev/attachments/20171114/0a03377b/attachment-0001.html>

More information about the 2d-dev mailing list