JDK-4980124 : Native JVM crash in JPEG API when processing corrupt image files
  • Type: Bug
  • Component: client-libs
  • Sub-Component: 2d
  • Affected Version: 1.4.2_03
  • Priority: P2
  • Status: Resolved
  • Resolution: Fixed
  • OS: solaris_9
  • CPU: generic
  • Submitted: 2004-01-19
  • Updated: 2004-03-31
  • Resolved: 2004-01-26
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other
5.0 betaFixed
Related Reports
Relates :  
JDK-4836529 - Reading corrupted JPEG cause VM crash
Description
A simple JAI 1.1.2 application will crash when loading and processing an invalid image file (.jpg tested).  The application programmer has no known way to handle this - an exception should be thrown that we can catch.  

Worse than an uncaught exception, the result of simply processing an invalid file is a crash of the native JVM.

The testcase and test file are attached:

/// Testcase:

import java.awt.image.RenderedImage;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;

import javax.media.jai.JAI;

import com.sun.media.jai.codec.MemoryCacheSeekableStream;
import com.sun.media.jai.codec.SeekableStream;


public class JAICrashTest {

        public static void main(String[] args) throws IOException {
                String fileName = args[0];
                byte[] data     = loadFile(fileName);
                InputStream istream = new ByteArrayInputStream(data);
                int availableBytes = istream.available();
                //      Load the source image from a Stream.
                SeekableStream st = new MemoryCacheSeekableStream(istream);
                st.read(new byte[availableBytes], 0, availableBytes);
                RenderedImage im = JAI.create("stream", st);
                if( (im.getWidth() <= 0 || im.getHeight() <= 0)){
                        System.out.println("Something wrong..");
                        return;
                }
                System.out.println("Okay..");
        }

        public static byte[] loadFile(String name) throws IOException
    {
                         File f= new File(name);
                         byte[] result = new byte[(int) f.length()];
                         FileInputStream is = new FileInputStream(f);
                         is.read(result);
                         is.close();
                         return result;
        }

}


//// Output:

sr-egmp03-07(5.9)$ cat ./go
export JAI_HOME=/home/kevinwa/javastuff/jai-1_1_2/lib
export CLASSPATH=$JAI_HOME/jai_core.jar:$JAI_HOME/jai_codec.jar:$JAI_HOME/mlibwrapper_jai.jar:$CLASSPATH
export LD_LIBRARY_PATH=$JAI_HOME:$CLASSPATH:$LD_LIBRARY_PATH
java JAICrashTest 00000005.jpg

sr-egmp03-07(5.9)$ ./go

Unexpected Signal : 11 occurred at PC=0xFEDB24BC
Function=[Unknown. Nearest: JVM_IsSameClassPackage+0x7050]
Library=/net/cafebabe.uk/export/apps/products/java/jdk/prodn/j2sdk1.4.2_03/jre/lib/sparc/client/libjvm.so

Current Java thread:
        at sun.awt.image.codec.JPEGImageDecoderImpl.readJPEGStream(Native Method)
        - locked <0xf19a1268> (a sun.awt.image.codec.JPEGImageDecoderImpl)
        at sun.awt.image.codec.JPEGImageDecoderImpl.decodeAsBufferedImage(JPEGImageDecoderImpl.java:210)
        - locked <0xf19a1268> (a sun.awt.image.codec.JPEGImageDecoderImpl)
        at com.sun.media.jai.codecimpl.JPEGImage.<init>(JPEGImageDecoder.java:114)
        - locked <0xf19a0770> (a java.lang.Object)
        at com.sun.media.jai.codecimpl.JPEGImageDecoder.decodeAsRenderedImage(JPEGImageDecoder.java:53)
        at com.sun.media.jai.opimage.CodecRIFUtil.create(CodecRIFUtil.java:96)
        at com.sun.media.jai.opimage.JPEGRIF.create(JPEGRIF.java:52)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:324)
        at javax.media.jai.FactoryCache.invoke(FactoryCache.java:130)
        at javax.media.jai.OperationRegistry.invokeFactory(OperationRegistry.java:1682)
        at javax.media.jai.ThreadSafeOperationRegistry.invokeFactory(ThreadSafeOperationRegistry.java:481)
        at javax.media.jai.registry.RIFRegistry.create(RIFRegistry.java:340)
        at com.sun.media.jai.opimage.StreamRIF.create(StreamRIF.java:110)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:324)
        at javax.media.jai.FactoryCache.invoke(FactoryCache.java:130)
        at javax.media.jai.OperationRegistry.invokeFactory(OperationRegistry.java:1682)
        at javax.media.jai.ThreadSafeOperationRegistry.invokeFactory(ThreadSafeOperationRegistry.java:481)
        at javax.media.jai.registry.RIFRegistry.create(RIFRegistry.java:340)
        at javax.media.jai.RenderedOp.createInstance(RenderedOp.java:830)
        - locked <0xf191c870> (a javax.media.jai.RenderedOp)
        at javax.media.jai.RenderedOp.createRendering(RenderedOp.java:878)
        - locked <0xf191c870> (a javax.media.jai.RenderedOp)
        at javax.media.jai.RenderedOp.getWidth(RenderedOp.java:2190)
        at JAICrashTest.main(JAICrashTest.java:27)

Dynamic libraries:
0x10000         java
0xff380000      /usr/lib/libthread.so.1
0xff3b0000      /usr/lib/libdl.so.1
0xff280000      /usr/lib/libc.so.1
0xff350000      /usr/platform/SUNW,Ultra-Enterprise/lib/libc_psr.so.1
0xfec00000      /net/cafebabe.uk/export/apps/products/java/jdk/prodn/j2sdk1.4.2_03/jre/lib/sparc/client/libjvm.so
0xff230000      /usr/lib/libCrun.so.1
0xff210000      /usr/lib/libsocket.so.1
0xff100000      /usr/lib/libnsl.so.1
0xff0b0000      /usr/lib/libm.so.1
0xff1e0000      /usr/lib/libsched.so.1
0xff260000      /usr/lib/libw.so.1
0xff090000      /usr/lib/libmp.so.2
0xff070000      /usr/lib/librt.so.1
0xff050000      /usr/lib/libaio.so.1
0xff030000      /usr/lib/libmd5.so.1
0xfebe0000      /usr/platform/SUNW,Ultra-Enterprise/lib/libmd5_psr.so.1
0xfeba0000      /net/cafebabe.uk/export/apps/products/java/jdk/prodn/j2sdk1.4.2_03/jre/lib/sparc/native_threads/libhpi.so
0xfeb60000      /net/cafebabe.uk/export/apps/products/java/jdk/prodn/j2sdk1.4.2_03/jre/lib/sparc/libverify.so
0xfeb20000      /net/cafebabe.uk/export/apps/products/java/jdk/prodn/j2sdk1.4.2_03/jre/lib/sparc/libjava.so
0xfeaf0000      /net/cafebabe.uk/export/apps/products/java/jdk/prodn/j2sdk1.4.2_03/jre/lib/sparc/libzip.so
0xf1700000      /net/cafebabe.uk/export/apps/products/java/jdk/prodn/j2sdk1.4.2_03/jre/lib/sparc/libawt.so
0xfc580000      /net/cafebabe.uk/export/apps/products/java/jdk/prodn/j2sdk1.4.2_03/jre/lib/sparc/libmlib_image.so
0xfe290000      /net/cafebabe.uk/export/apps/products/java/jdk/prodn/j2sdk1.4.2_03/jre/lib/sparc/motif21/libmawt.so
0xf1480000      /usr/dt/lib/libXm.so.4
0xfc790000      /usr/openwin/lib/libXt.so.4
0xfe1d0000      /usr/openwin/lib/libXext.so.0
0xfe1b0000      /usr/openwin/lib/libXtst.so.1
0xf1380000      /usr/openwin/lib/libX11.so.4
0xfc6a0000      /usr/openwin/lib/libdps.so.5
0xfbfe0000      /usr/openwin/lib/libSM.so.6
0xfbfb0000      /usr/openwin/lib/libICE.so.6
0xfbeb0000      /net/cafebabe.uk/export/apps/products/java/jdk/prodn/j2sdk1.4.2_03/jre/lib/sparc/libcmm.so
0xfbdb0000      /net/cafebabe.uk/export/apps/products/java/jdk/prodn/j2sdk1.4.2_03/jre/lib/sparc/libjpeg.so

Heap at VM Abort:
Heap
 def new generation   total 2112K, used 1797K [0xf1800000, 0xf1a20000, 0xf1f10000)
  eden space 2048K,  84% used [0xf1800000, 0xf19b16c0, 0xf1a00000)
  from space 64K, 100% used [0xf1a00000, 0xf1a10000, 0xf1a10000)
  to   space 64K,   0% used [0xf1a10000, 0xf1a10000, 0xf1a20000)
 tenured generation   total 1408K, used 485K [0xf1f10000, 0xf2070000, 0xf5800000)
   the space 1408K,  34% used [0xf1f10000, 0xf1f895a8, 0xf1f89600, 0xf2070000)
 compacting perm gen  total 4096K, used 3317K [0xf5800000, 0xf5c00000, 0xf9800000)
   the space 4096K,  81% used [0xf5800000, 0xf5b3d790, 0xf5b3d800, 0xf5c00000)

Local Time = Mon Jan 19 11:05:20 2004
Elapsed Time = 8
#
# HotSpot Virtual Machine Error : 11
# Error ID : 4F530E43505002EF 01
# Please report this error at
# http://java.sun.com/cgi-bin/bugreport.cgi
#
# Java VM: Java HotSpot(TM) Client VM (1.4.2_03-b02 mixed mode)
#
# An error report file has been saved as hs_err_pid62954.log.
# Please refer to the file for further information.
#
./go[4]: 62954 Abort
sr-egmp03-07(5.9)$ 


Testcase .java and .class file are attached, with sample bad JPG.
Customer has provided addtional stack traces, attached.
Comments
CONVERTED DATA BugTraq+ Release Management Values COMMIT TO FIX: tiger-beta FIXED IN: tiger-beta INTEGRATED IN: tiger-beta
21-08-2004
EVALUATION Name: abR10136 Date: 01/23/2004 This problem was fixed in the Tiger as part of fix for 4836529. ======================================================================
21-08-2004
PUBLIC COMMENTS A simple JAI 1.1.2 application will crash when loading and processing an invalid image file (.jpg tested). The application programmer has no known way to handle this - an exception should be thrown that we can catch.
21-08-2004