< prev index next >

src/java.desktop/share/classes/com/sun/imageio/plugins/png/PNGImageReader.java

Print this page

        

@@ -1,7 +1,7 @@
 /*
- * Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License version 2 only, as
  * published by the Free Software Foundation.  Oracle designates this

@@ -457,17 +457,22 @@
         metadata.iTXt_compressionFlag.add(Boolean.valueOf(compressionFlag == 1));
 
         int compressionMethod = stream.readUnsignedByte();
         metadata.iTXt_compressionMethod.add(Integer.valueOf(compressionMethod));
 
-        String languageTag = readNullTerminatedString("UTF8", 80);
+        long pos = stream.getStreamPosition();
+        int remainingLen = (int)(chunkStart + chunkLength - pos);
+        String languageTag = readNullTerminatedString("UTF8", remainingLen);
         metadata.iTXt_languageTag.add(languageTag);
 
-        long pos = stream.getStreamPosition();
-        int maxLen = (int)(chunkStart + chunkLength - pos);
+        pos = stream.getStreamPosition();
+        remainingLen = (int)(chunkStart + chunkLength - pos);
+        if (remainingLen < 0) {
+            throw new IIOException("iTXt chunk length is not proper");
+        }
         String translatedKeyword =
-            readNullTerminatedString("UTF8", maxLen);
+            readNullTerminatedString("UTF8", remainingLen);
         metadata.iTXt_translatedKeyword.add(translatedKeyword);
 
         String text;
         pos = stream.getStreamPosition();
         int textLength = (int)(chunkStart + chunkLength - pos);
< prev index next >