From 8db133290be26836b2f052658644d341165a2b98 Mon Sep 17 00:00:00 2001 From: Lim Sim Yee <137663782+simei2k@users.noreply.github.com> Date: Sat, 10 May 2025 23:32:34 +0800 Subject: [PATCH] Fix Buffer Handling Vulnerabilities in write Method This PR addresses several security vulnerabilities in the write method implementation related to buffer handling and input validation. This vulnerability was also identifed and fixed in ReadyTalk/avian@0871979, corresponding to CVE-2020-9488. References: 1. ReadyTalk/avian@0871979 2. https://nvd.nist.gov/vuln/detail/cve-2020-9488 --- .../PngEncoderIdatChunksOutputStream.java | 20 ++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/src/com/pngencoder/PngEncoderIdatChunksOutputStream.java b/src/com/pngencoder/PngEncoderIdatChunksOutputStream.java index 717a7492b..3ba99f3b6 100644 --- a/src/com/pngencoder/PngEncoderIdatChunksOutputStream.java +++ b/src/com/pngencoder/PngEncoderIdatChunksOutputStream.java @@ -43,24 +43,30 @@ public void write(byte[] b) throws IOException { @Override public void write(byte[] b, int off, int len) throws IOException { + // Check for null input + if (b == null) { + throw new NullPointerException("Input byte array cannot be null"); + } + + // Check array bounds + if (off < 0 || len < 0 || off + len > b.length) { + throw new ArrayIndexOutOfBoundsException("Invalid offset or length parameters"); + } + + // Handle buffer management if (len >= buf.length) { flushBuffer(); writeIdatChunk(b, off, len); return; } + if (len > buf.length - count) { flushBuffer(); } + System.arraycopy(b, off, buf, count, len); count += len; } - - @Override - public void flush() throws IOException { - flushBuffer(); - super.flush(); - } - private void flushBuffer() throws IOException { if (count > 0) { writeIdatChunk(buf, 0, count);