JDK-4818574 : sun_jpeg_fill_suspended_buffer() causes JVM crash
  • Type: Bug
  • Component: client-libs
  • Sub-Component: 2d
  • Affected Version: 1.4.2
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: windows_2000
  • CPU: x86
  • Submitted: 2003-02-14
  • Updated: 2003-10-27
  • Resolved: 2003-10-27
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other
5.0 b26Fixed
Related Reports
Relates :  
JDK-4818580 - ZipFileInputStream.available() always returns the full entry size
Description

Name: ks84122			Date: 02/13/2003


The report from Apple below describes a bug in sun_jpeg_fill_suspended_buffer() that causes a JVM crash. It also mentions the ZipFile problem which is filed as a separate bug(4818580).

Original description:
=====================

1. Use SwingSet2 JFC example. Expand the jar file and recreate it using jar cm0f to get an uncompressed jar.
2. Run the example using the uncompressed jar file.
3. Click on the JEditorPane HTMLDemo icon.
4. Scroll down the page. Click on the first link (Title Page).
5. Crash.

The crash is due to code in src/share/native/sun/awt/image/jpeg/jpegdecoder.c, function sun_jpeg_fill_suspended_buffer() uses size_t paramaters (unsigned integers) for ret, offset, buflen. However, the error code returned from the JNI calls it makes are jints, and return -1 to indicate an error. So this code never indicates an error:

    if (ret <= 0) {
	/* Silently accept truncated JPEG files */
	WARNMS(cinfo, JWRN_JPEG_EOF);
	src->inbuf[offset] = (JOCTET) 0xFF;
	src->inbuf[offset + 1] = (JOCTET) JPEG_EOI;
	ret = 2;
    }

The end result is that the return length becomes a very large positive integer and a call to memmove later scribbles all over memory.

ret should be jint type, or cast to an (int) for the test.

Once the abvoe problem is fixed, reading the same JPEG files from an uncompressed jar file give "Premature end of JPEG" warnings. This problem is because ZipFileInputStream's available() method incorrectly returns the full entry size in its available() method, rather than the remaining number of bytes that can be read. In src/share/classes/java/util/zip/ZipFile.java:

	public int available() {
	    return size;
	}

should be:

	public int available() {
	    return rem;
	}
(Review ID: 181199) 
======================================================================
Comments
CONVERTED DATA BugTraq+ Release Management Values COMMIT TO FIX: tiger tiger-beta FIXED IN: tiger tiger-beta INTEGRATED IN: tiger-b26 tiger-beta
21-08-2004
EVALUATION Looks like this change was made as a result of the Itanium work in 1.4. ###@###.### 2003-02-14 Name: abR10136 Date: 09/30/2003 The problem described in this bug can be reproduced using tiger workspace (by using an specially broken image input stream). The crash happens if we get src->pub.bytes_in_puffer equals zero and at the same moment the end of the input stream is reached. In this case the new value of the bytes_in_buffer will be 0xffffffff. This value cause crash on line 322 next time when we call method sun_jpeg_fill_suspended_buffer. Proposed solution is to change the type of "ret" variable from unsigned int to int in order to ensure the correct comparison at the line 326. ======================================================================
21-08-2004
WORK AROUND Name: ks84122 Date: 02/13/2003 Used compressed jar files as the InflaterInputStream reads the ZipFileInputStream without regard for the available() call. ======================================================================
21-08-2004