JDK-8188756 : ImageIO throws IndexOutOfBoundsException on faulty JPEG
  • Type: Bug
  • Component: client-libs
  • Sub-Component: javax.imageio
  • Affected Version: 6,7-pool,8,9
  • Priority: P3
  • Status: Closed
  • Resolution: Incomplete
  • OS: generic
  • CPU: generic
  • Submitted: 2017-09-29
  • Updated: 2019-02-19
  • Resolved: 2017-10-09
Related Reports
Duplicate :  
JDK-8191073 - JpegImageReader throws IndexOutOfBoundsException when trying to read image data from tables-only image
Description
FULL PRODUCT VERSION :
openjdk version "9"
OpenJDK Runtime Environment (build 9+181)
OpenJDK 64-Bit Server VM (build 9+181, mixed mode)

Also present in other versions I tested with (Oracle 7 and 8, OpenJDK 8).

ADDITIONAL OS VERSION INFORMATION :
Linux 4.10.0-35-generic #39-Ubuntu SMP Wed Sep 13 07:46:59 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

A DESCRIPTION OF THE PROBLEM :
I fuzzed JPEG loading with javax.imageio.ImageIO using the AFL-based fuzzing tool Kelinci (https://github.com/isstac/kelinci). It found an input on which ImageIO.read() throws an IndexOutOfBoundsException. Per the specification, it should throw an IOException instead for faulty JPEGs.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Run the attached test case on the faulty JPEG image generated by Kelinci. Unfortunately I cannot attach the JPEG here, please get in touch and I'll send it.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
ImageIO.read() throws an IIOException, which is then caught by an application using the library.
ACTUAL -
ImageIO.read() throws an IndexOutOfBoundsException, crashing the thread it was called from.

ERROR MESSAGES/STACK TRACES THAT OCCUR :
Exception in thread "main" java.lang.IndexOutOfBoundsException: Index -1 out-of-bounds for length 0
	at java.base/jdk.internal.util.Preconditions.outOfBounds(Preconditions.java:64)
	at java.base/jdk.internal.util.Preconditions.outOfBoundsCheckIndex(Preconditions.java:70)
	at java.base/jdk.internal.util.Preconditions.checkIndex(Preconditions.java:248)
	at java.base/java.util.Objects.checkIndex(Objects.java:372)
	at java.base/java.util.ArrayList.get(ArrayList.java:439)
	at java.desktop/com.sun.imageio.plugins.jpeg.JPEGImageReader.checkTablesOnly(JPEGImageReader.java:378)
	at java.desktop/com.sun.imageio.plugins.jpeg.JPEGImageReader.gotoImage(JPEGImageReader.java:493)
	at java.desktop/com.sun.imageio.plugins.jpeg.JPEGImageReader.readHeader(JPEGImageReader.java:716)
	at java.desktop/com.sun.imageio.plugins.jpeg.JPEGImageReader.readInternal(JPEGImageReader.java:1173)
	at java.desktop/com.sun.imageio.plugins.jpeg.JPEGImageReader.read(JPEGImageReader.java:1153)
	at java.desktop/javax.imageio.ImageIO.read(ImageIO.java:1468)
	at java.desktop/javax.imageio.ImageIO.read(ImageIO.java:1315)
	at DriverKelinci.main(DriverKelinci.java:18)

REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
import java.awt.image.BufferedImage;
import java.io.File;
import java.io.IOException;

import javax.imageio.ImageIO;

public class DriverKelinci
{
  public static void main(final String[] args) {

    if (args.length != 1) {
      System.err.println("Expects file name as parameter");
      return;
    }

    try {
      File imageFile = new File(args[0]);
      BufferedImage bi = ImageIO.read(imageFile);
    } catch (IOException e) {
      e.printStackTrace();
    }

    System.out.println("Done.");
  }
}

---------- END SOURCE ----------
Comments
Attached DriverKelinci.java is nothing but a error report in HTML file. Attached NegSegmentSize.JPG : When i checked hex values of this file it also reveals that it has HTML file header. I ran test case present in the description using attached NegSegmentSize.JPG but it doesn't throw any IndexOutOfBoundsException. I ran the test case in Windows 7 64 bit in JDK10 latest, JDK 9 - ea 180 & JDK 1.8.0_112.
09-10-2017
Reported with Ubuntu 17.04 JDK 9 According to description, loading a faulty jpeg image created with AFl-based Kelinci tool with javax.imageio.ImageIO found that ImageIO.read() throws an IndexOutOfBoundsException, crashing the thread it was called from. According to specification, it should throw an IOException instead for faulty JPEGs. http://docs.oracle.com/javase/9/docs/api/index.html?javax/imageio/class-use/ImageIO.html Result: ======== 6: FAIL 7: FAIL 8u144: FAIL 9: FAIL Run with JDK 9 ============================================= >java DriverKelinci NegSegmentSize.JPG Exception in thread "main" java.lang.IndexOutOfBoundsException: Index -1 out-of-bounds for length 0 at java.base/jdk.internal.util.Preconditions.outOfBounds(Preconditions.java:64) at java.base/jdk.internal.util.Preconditions.outOfBoundsCheckIndex(Preconditions.java:70) at java.base/jdk.internal.util.Preconditions.checkIndex(Preconditions.java:248) at java.base/java.util.Objects.checkIndex(Objects.java:372) at java.base/java.util.ArrayList.get(ArrayList.java:439) at java.desktop/com.sun.imageio.plugins.jpeg.JPEGImageReader.checkTablesOnly(JPEGImageReader.java:378) at java.desktop/com.sun.imageio.plugins.jpeg.JPEGImageReader.gotoImage(JPEGImageReader.java:493) at java.desktop/com.sun.imageio.plugins.jpeg.JPEGImageReader.readHeader(JPEGImageReader.java:716) at java.desktop/com.sun.imageio.plugins.jpeg.JPEGImageReader.readInternal(JPEGImageReader.java:1173) at java.desktop/com.sun.imageio.plugins.jpeg.JPEGImageReader.read(JPEGImageReader.java:1153) at java.desktop/javax.imageio.ImageIO.read(ImageIO.java:1468) at java.desktop/javax.imageio.ImageIO.read(ImageIO.java:1315) at DriverKelinci.main(DriverKelinci.java:18) ==================================== However, not sure if this is a Java issue as we are not sure what action does the fuzzy tool actually perform. Does it modify the jpeg header information. If jpeg header is not modified it can't be considered as faulty. Verified in Windows 10 (64-bit) with attached test case for JDK 6, 7, 8, and 9 and could confirm the results though.
05-10-2017