src/share/classes/com/sun/imageio/plugins/png/PNGImageReader.java
Print this page
@@ -662,10 +662,16 @@
int colorType = metadata.IHDR_colorType;
if (ignoreMetadata && colorType != PNG_COLOR_PALETTE) {
try {
while (true) {
int chunkLength = stream.readInt();
+
+ // verify the chunk length first
+ if (chunkLength < 0 || chunkLength + 4 < 0) {
+ throw new IIOException("Invalid chunk length " + chunkLength);
+ }
+
int chunkType = stream.readInt();
if (chunkType == IDAT_TYPE) {
// We've reached the image data
stream.skipBytes(-8);
@@ -690,11 +696,11 @@
int chunkType = stream.readInt();
int chunkCRC;
// verify the chunk length
if (chunkLength < 0) {
- throw new IIOException("Invalid chunk lenght " + chunkLength);
+ throw new IIOException("Invalid chunk length " + chunkLength);
};
try {
stream.mark();
stream.seek(stream.getStreamPosition() + chunkLength);