Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

ArrayIndexOutOfBoundsException in CCITTFaxDecoderStream.java

See original GitHub issue

Describe the bug The second occurence of changesCurrentRow[changesCurrentRowCount++] = index; can produce an AIOOBE

Version information

  1. The version of the TwelveMonkeys ImageIO library in use. We’re using a modified version of that file, but I expect this to happen on your side too. I looked at your code and the last modifications.

  2. The exact output of java --version (or java -version for older Java releases). 18-ea

  3. Extra information about OS version, server version, standalone program or web application packaging, executable wrapper, etc. W10

To Reproduce

Use CCITTFaxDecoderStream with the exploit mentioned in https://issues.apache.org/jira/browse/PDFBOX-5339

parameters: columns 7 type 4 fillOrder 1 options 0 byteAligned false

        InputStream is = new FileInputStream("crash-e835587b760ebc7e5a2edc3855d82c38637223c5.txt");
        is.skip(3404);
        CCITTFaxDecoderStream ccittFaxDecoderStream = new CCITTFaxDecoderStream(is, 7, 4, 1, 0, false);
        while (ccittFaxDecoderStream.read() != -1)
            ;

(needs minor change, fill order (the “1”) is no longer as parameter in your code)

Expected behavior An IOException

Sample file(s) crash-e835587b760ebc7e5a2edc3855d82c38637223c5.txt

“hot” part starts at offset 3404

Stak trace

(numbers not the same as in your code)

Exception in thread “main” java.lang.ArrayIndexOutOfBoundsException: 9 at org.apache.pdfbox.filter.CCITTFaxDecoderStream.decode2D(CCITTFaxDecoderStream.java:229) at org.apache.pdfbox.filter.CCITTFaxDecoderStream.decodeRowType6(CCITTFaxDecoderStream.java:336) at org.apache.pdfbox.filter.CCITTFaxDecoderStream.decodeRow(CCITTFaxDecoderStream.java:348) at org.apache.pdfbox.filter.CCITTFaxDecoderStream.fetch(CCITTFaxDecoderStream.java:155) at org.apache.pdfbox.filter.CCITTFaxDecoderStream.read(CCITTFaxDecoderStream.java:477)

The easiest thing to do would be to add something like this 3 times:

if (changesCurrentRowCount >= changesCurrentRow.length)
{
    throw new IOException("changesCurrentRowCount outside of bound");
}

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:6 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
THausherrcommented, Dec 11, 2021

645.txt is probably a real CCITT stream modified by a fuzzer.

1reaction
THausherrcommented, Dec 11, 2021

645.txt

Smaller stream, with smaller code:


public static void main(String[] args) throws IOException
{
    InputStream is = new FileInputStream("645.txt");
    CCITTFaxDecoderStream ccittFaxDecoderStream = new CCITTFaxDecoderStream(is, 7, 4, 0, false);
    while (ccittFaxDecoderStream.read() != -1)
        ;
}
Read more comments on GitHub >

github_iconTop Results From Across the Web

ArrayIndexOutOfBoundsException in ... - GitHub
Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: 25 at com.twelvemonkeys.imageio.plugins.tiff.CCITTFaxDecoderStream.
Read more >
Java ArrayIndexOutOfBoundsException - Baeldung
ArrayIndexOutOfBoundsException occurs when we access an array, or a Collection, that is backed by an array with an invalid index. This means ...
Read more >
2.0.5 - [Custom Search] - ASF JIRA
Update CCITTFaxDecoderStream.java from twelvemonkeys. PDFBOX-3703Closed. 2. ArrayIndexOutOfBoundsException in PDDeviceRGB.toRGB(). PDFBOX-3702Closed.
Read more >
What causes a java.lang.ArrayIndexOutOfBoundsException ...
Thrown to indicate that an array has been accessed with an illegal index. The index is either negative or greater than or equal...
Read more >
ArrayIndexOutOfBoundsException (Java Platform SE 7 )
Constructs a new ArrayIndexOutOfBoundsException class with an argument indicating the illegal index. Parameters: index - the illegal index.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

OutOfMemoryError while reading tif

Next page

Inverted TIFFs (potentially incorrect photometric tag)