[See all my vulnerabilities at
http://scary.beasts.org/security]
JDK comes with an image parsing API based around the
javax.imagio.ImageIO
class. A slightly sloppy demo program to
exercise this API would be:
import javax.imageio.ImageIO; import javax.imageio.ImageReader; import java.util.Iterator; import java.io.InputStream; import java.io.FileInputStream; import java.io.ByteArrayInputStream; import javax.imageio.stream.MemoryCacheImageInputStream; import javax.imageio.stream.ImageInputStream; public class ImgReader { public static void main(String[] args) throws Exception { InputStream is = new FileInputStream(args[0]); ImageInputStream iis = new MemoryCacheImageInputStream(is); IteratorThis program takes the first command line argument as an image filename to put through the JDK image parsing API.it = ImageIO.getImageReaders(iis); ImageReader reader = it.next(); reader.setInput(iis); int width = reader.getWidth(0); } }
Of course, most Java image parsing will be safe from the usual gamut of buffer overflows, integer overflows, subtle memory corruptions, etc. Most, but not all. The JPEG and BMP parsers support embedded ICC profiles (to do with colour correction), and the ICC profile parser is actually backed by native code.
Demo JPG: http://scary.beasts.org/misc/jdk/badicc.jpg . It causes a crash of the JVM. The crash is caused by a buffer overflow subsequent to an integer overflow, so it is likely exploitable to cause arbitrary code execution on many platforms.
Generally, the ICC parser takes quite a few 32-bit integers from ICC profile data and does not check them for being excessively large.
Demo BMP: http://scary.beasts.org/misc/jdk/evil2.bmp . This, on Linux, causes the image parsing thread to hang whilst trying to read from /dev/tty.
Obviously, the broad problem here is that opening local files is not a suitable thing to do in the context of server-side image parsing.
CESA-2006-004 - rev 2
Chris Evans
scarybeasts@gmail.com