Fix ArrayIndexOutOfBoundsException in Extended XMP processing#712
Merged
drewnoakes merged 3 commits intodrewnoakes:mainfrom Feb 2, 2026
Merged
Conversation
These tests demonstrate an ArrayIndexOutOfBoundsException in XmpReader.processExtendedXMPChunk() when processing malformed Extended XMP segments where: 1. chunkOffset exceeds the declared fullLength (buffer size) 2. chunkOffset + chunkDataLength exceeds the buffer bounds The current code at XmpReader.java:296 does: System.arraycopy(segmentBytes, totalOffset, extendedXMPBuffer, chunkOffset, segmentLength - totalOffset) It validates extendedXMPBuffer.length == fullLength, but doesn't validate - chunkOffset + (segmentLength - totalOffset) <= extendedXMPBuffer.length This causes crashes when processing JPEGs with corrupted or malformed Extended XMP metadata.
Add bounds validation before System.arraycopy in processExtendedXMPChunk() to prevent crashes when processing malformed Extended XMP metadata. The fix handles two edge cases: - chunkOffset + copyLength exceeds buffer size - chunkOffset is negative (from uint32 > Integer.MAX_VALUE cast to int) Uses subtraction instead of addition to avoid integer overflow: if (chunkOffset < 0 || chunkOffset > buffer.length - copyLength) Includes sample JPEG file (malformed_extended_xmp.jpg) for regression testing. Fixes drewnoakes#308
drewnoakes
added a commit
to drewnoakes/metadata-extractor-images
that referenced
this pull request
Feb 2, 2026
Adds an image provided by @alicanalbayrak in drewnoakes/metadata-extractor#712 that reproduces a bug in how we handle extended XMP data.
Owner
|
Thanks very much for the fix here, and for providing a sample image. It's customary in this repo that we don't add test images to the tree here. Instead, they go into a separate repo which is used for regression testing. I've pushed the image there already (drewnoakes/metadata-extractor-images@651ad0e). Please remove it and the unit test from this PR. There are just too many combinations of inputs for us to have unit tests for all of them, and the regression suite gives excellent coverage. |
Contributor
Author
|
Hi @drewnoakes, I've addressed your comment. Cheers |
don-vip
pushed a commit
to don-vip/metadata-extractor
that referenced
this pull request
Feb 13, 2026
…akes#712) Add bounds validation before System.arraycopy in processExtendedXMPChunk() to prevent crashes when processing malformed Extended XMP metadata. The fix handles two edge cases: - chunkOffset + copyLength exceeds buffer size - chunkOffset is negative (from uint32 > Integer.MAX_VALUE cast to int) Uses subtraction instead of addition to avoid integer overflow: if (chunkOffset < 0 || chunkOffset > buffer.length - copyLength) Fixes drewnoakes#308
don-vip
pushed a commit
to don-vip/metadata-extractor
that referenced
this pull request
Feb 13, 2026
…akes#712) Add bounds validation before System.arraycopy in processExtendedXMPChunk() to prevent crashes when processing malformed Extended XMP metadata. The fix handles two edge cases: - chunkOffset + copyLength exceeds buffer size - chunkOffset is negative (from uint32 > Integer.MAX_VALUE cast to int) Uses subtraction instead of addition to avoid integer overflow: if (chunkOffset < 0 || chunkOffset > buffer.length - copyLength) Fixes drewnoakes#308
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds bounds validation before
System.arraycopyinXmpReader.processExtendedXMPChunk()to prevent crashes when processing malformed Extended XMP metadata.Fixes #711
The Bug
When processing Extended XMP chunks, the code allocates a buffer based on the declared
fullLength, then copies chunk data atchunkOffset. However, there was no validation thatchunkOffset + copyLength <= buffer.length, causingArrayIndexOutOfBoundsException:java.lang.ArrayIndexOutOfBoundsException: arraycopy: last destination index 15334120 out of bounds for byte[15262528] at com.drew.metadata.xmp.XmpReader.processExtendedXMPChunk(XmpReader.java:296)The Fix
The bounds check handles:
chunkOffset + copyLength > buffer.lengthInteger.MAX_VALUEbecome negative when cast to intSample Image
Included
Tests/Data/malformed_extended_xmp.jpg- a minimal (847 bytes) 1x1 pixel JPEG that reproduces the bug for regression testing.