Issue #685 | Validate stringLength in ICC DESC tag to prevent exceptions

Resolved an issue where malformed ICC profiles could cause a StringIndexOutOfBoundsException during DESC tag processing. - Added validation to ensure `stringLength` is non-negative and does not exceed `bytes.length - 12`. - Throws `BufferBoundsException` with a detailed message for invalid cases. - Ensures corrupted ICC profiles are handled gracefully.
drewnoakes · Nov 25, 2024 · da59f94 · da59f94
1 parent 0c3452b
commit da59f94
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/Source/com/drew/metadata/icc/IccDescriptor.java b/Source/com/drew/metadata/icc/IccDescriptor.java
@@ -21,6 +21,7 @@
 
 package com.drew.metadata.icc;
 
+import com.drew.lang.BufferBoundsException;
 import com.drew.lang.ByteArrayReader;
 import com.drew.lang.RandomAccessReader;
 import com.drew.lang.annotations.NotNull;
@@ -91,6 +92,11 @@ private String getTagDataString(int tagType)
                     }
                 case ICC_TAG_TYPE_DESC:
                     int stringLength = reader.getInt32(8);
+
+                    if (stringLength < 0 || stringLength > (bytes.length - 12)) {
+                        throw new BufferBoundsException(12, stringLength, bytes.length);
+                    }
+
                     return new String(bytes, 12, stringLength - 1);
                 case ICC_TAG_TYPE_SIG:
                     return IccReader.getStringFromInt32(reader.getInt32(8));