From ebeadc89d30eba5b16183bafa7f20ec6e67e955c Mon Sep 17 00:00:00 2001
From: Aleksei Voitylov <avoitylov@openjdk.org>
Date: Thu, 16 Dec 2021 20:37:07 +0300
Subject: [PATCH] 8272462: Enhance image handling

Reviewed-by: yan
---
 .../com/sun/imageio/plugins/gif/GIFImageReader.java        | 7 ++++++-
 .../com/sun/imageio/plugins/jpeg/JPEGImageReader.java      | 7 +++++++
 .../com/sun/imageio/plugins/png/PNGImageReader.java        | 7 +++++++
 3 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/jdk/src/share/classes/com/sun/imageio/plugins/gif/GIFImageReader.java b/jdk/src/share/classes/com/sun/imageio/plugins/gif/GIFImageReader.java
index d654effab9..a9243b1ffe 100644
--- a/jdk/src/share/classes/com/sun/imageio/plugins/gif/GIFImageReader.java
+++ b/jdk/src/share/classes/com/sun/imageio/plugins/gif/GIFImageReader.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2008, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -956,6 +956,11 @@ public class GIFImageReader extends ImageReader {
                         }
                     }
 
+                    if (tableIndex >= prefix.length) {
+                        throw new IIOException("Code buffer limit reached,"
+                                + " no End of Image tag present, possibly data is corrupted. ");
+                    }
+
                     int ti = tableIndex;
                     int oc = oldCode;
 
diff --git a/jdk/src/share/classes/com/sun/imageio/plugins/jpeg/JPEGImageReader.java b/jdk/src/share/classes/com/sun/imageio/plugins/jpeg/JPEGImageReader.java
index 0faf133ed8..af62595fb5 100644
--- a/jdk/src/share/classes/com/sun/imageio/plugins/jpeg/JPEGImageReader.java
+++ b/jdk/src/share/classes/com/sun/imageio/plugins/jpeg/JPEGImageReader.java
@@ -1082,6 +1082,13 @@ public class JPEGImageReader extends ImageReader {
                 throw new IIOException("Unsupported Image Type");
             }
 
+            if ((long)width * height > Integer.MAX_VALUE - 2) {
+                // We are not able to properly decode image that has number
+                // of pixels greater than Integer.MAX_VALUE - 2
+                throw new IIOException("Can not read image of the size "
+                        + width + " by " + height);
+            }
+
             image = getDestination(param, imageTypes, width, height);
             imRas = image.getRaster();
 
diff --git a/jdk/src/share/classes/com/sun/imageio/plugins/png/PNGImageReader.java b/jdk/src/share/classes/com/sun/imageio/plugins/png/PNGImageReader.java
index 1df821b58f..300f3a010e 100644
--- a/jdk/src/share/classes/com/sun/imageio/plugins/png/PNGImageReader.java
+++ b/jdk/src/share/classes/com/sun/imageio/plugins/png/PNGImageReader.java
@@ -1239,6 +1239,13 @@ public class PNGImageReader extends ImageReader {
         int width = metadata.IHDR_width;
         int height = metadata.IHDR_height;
 
+        if ((long)width * height > Integer.MAX_VALUE - 2) {
+            // We are not able to properly decode image that has number
+            // of pixels greater than Integer.MAX_VALUE - 2
+            throw new IIOException("Can not read image of the size "
+                    + width + " by " + height);
+        }
+
         // Init default values
         sourceXSubsampling = 1;
         sourceYSubsampling = 1;