Skip to content

Bug trophy case

Rohan Padhye edited this page Dec 18, 2018 · 26 revisions

40 bugs found 5 security issues

This is a list of new bugs found in open-source software using JQF. Feel free to add to this list if you find anything new using JQF.

OpenJDK

  • CVE-2018-3214: Endless Loop in RiffReader (discovered by Tobias Ospelt)
  • JDK-8190332: PngReader throws NegativeArraySizeException when width is too large
  • JDK-8190511: PngReader throws OutOfMemoryError for very small malformed PNGs
  • JDK-8190512: PngReader throws undocumented IllegalArgumentException: "Empty Region" instead of IOException for malformed images with negative dimensions
  • JDK-8190997: PngReader throws NullPointerException when PLTE section is missing
  • JDK-8191023: PngReader throws NegativeArraySizeException in parse_tEXt_chunk when keyword length exceeeds chunk size
  • JDK-8191076: PngReader throws NegativeArraySizeException in parse_zTXt_chunk when keyword length exceeds chunk size
  • JDK-8191109: PngReader throws NegativeArraySizeException in parse_iCCP_chunk when keyword length exceeds chunk size
  • JDK-8191174: PngReader throws undocumented llegalArgumentException with message "Pixel stride times width must be <= scanline stride"
  • JDK-8191073: JpegImageReader throws IndexOutOfBoundsException when reading malformed header
  • JDK-8193444: SimpleDateFormat throws ArrayIndexOutOfBoundsException when format contains long sequences of unicode characters
  • JDK-8193877: DateTimeFormatterBuilder throws ClassCastException when using padding

Google Closure Compiler

Mozilla Rhino

Apache Commons

  • COMPRESS-424: BZip2CompressorInputStream throws ArrayIndexOutOfBoundsException(s) when decompressing malformed input
  • LANG-1385: StringIndexOutOfBoundsException in NumberUtils.createNumber
  • CVE-2018-11771: Infinite Loop in Commons-Compress ZipArchiveInputStream (found by Tobias Ospelt)

Apache Maven

Apache Ant

  • Bug 62655: Augment task: IllegalStateException when "id" attribute is missing

Apache BCEL

  • BCEL-303: AssertionViolatedException in Pass 3A Verification of invoke instructions
  • BCEL-307: ClassFormatException thrown in Pass 3A verification
  • BCEL-308: NullPointerException in Verifier Pass 3A
  • BCEL-309: NegativeArraySizeException when Code attribute length is negative
  • BCEL-310: ArrayIndexOutOfBounds in Verifier Pass 3A
  • BCEL-311: ClassCastException in Verifier Pass 2
  • BCEL-312: AssertionViolation: INTERNAL ERROR Please adapt StringRepresentation to deal with ConstantPackage in Verifier Pass 2
  • BCEL-313: ClassFormatException: Invalid signature: Ljava/lang/String)V in Verifier Pass 3A

Apache PDFBox

Apache Tika