Harden probe validation across parsers

TamKungZ · TamKungZ · commit d1ff13e5f13b · 2026-03-17T00:11:10.000+07:00
tighten malformed-input handling in png, jpeg, heif, bmp, and tiff
probes to reject spec-invalid fields and out-of-bounds metadata early.
improve jpeg marker scanning alignment and heif fullbox/pixi parsing
to avoid incorrect reads on corrupted payloads.

standardize webp probe bit-depth reporting via a shared assumed
constant and document current probe limitations in readme.
bump project version and changelog for 1.1.3 release.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,26 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.1.3] - 2026-03-16
+
+### Fixed
+- Added strict PNG bit-depth validation in [`PngParser.parse()`](src/main/java/me/tamkungz/codecmedia/internal/image/png/PngParser.java) to reject malformed IHDR values outside the PNG spec (`1`, `2`, `4`, `8`, `16`).
+- Added helper [`PngParser.isValidBitDepth()`](src/main/java/me/tamkungz/codecmedia/internal/image/png/PngParser.java) to centralize allowed PNG bit-depth values during probe.
+- Added PNG color-type validation in [`PngParser.parse()`](src/main/java/me/tamkungz/codecmedia/internal/image/png/PngParser.java) with helper [`PngParser.isValidColorType()`](src/main/java/me/tamkungz/codecmedia/internal/image/png/PngParser.java) to accept only spec-valid values (`0`, `2`, `3`, `4`, `6`).
+- Refined JPEG signature sniffing in [`JpegParser.isLikelyJpeg()`](src/main/java/me/tamkungz/codecmedia/internal/image/jpeg/JpegParser.java) to require the exact 3-byte SOI/prefix check actually used by the parser.
+- Hardened JPEG SOF validation in [`JpegParser.parse()`](src/main/java/me/tamkungz/codecmedia/internal/image/jpeg/JpegParser.java) to reject invalid `bitsPerSample` (only `8`/`12`) and unsupported component counts (only `1`/`3`/`4`).
+- Improved JPEG marker traversal in [`JpegParser.parse()`](src/main/java/me/tamkungz/codecmedia/internal/image/jpeg/JpegParser.java) to correctly tolerate repeated `0xFF` fill bytes while preserving marker alignment validation.
+- Corrected HEIF `pixi` FullBox payload parsing in [`HeifParser.extractPixiBitDepth()`](src/main/java/me/tamkungz/codecmedia/internal/image/heif/HeifParser.java) by skipping the 4-byte FullBox header before reading channel count and per-channel depths.
+- Documented FullBox offset semantics for `ispe` extraction in [`HeifParser.extractIspeWidth()`](src/main/java/me/tamkungz/codecmedia/internal/image/heif/HeifParser.java) and [`HeifParser.extractIspeHeight()`](src/main/java/me/tamkungz/codecmedia/internal/image/heif/HeifParser.java).
+- Removed non-container boxes (`mdat`, `skip`, `free`) from recursive traversal candidates in [`HeifParser.isContainerType()`](src/main/java/me/tamkungz/codecmedia/internal/image/heif/HeifParser.java) to avoid unnecessary payload recursion.
+- Added bounds-checked big-endian integer reads in [`HeifParser.readBeInt()`](src/main/java/me/tamkungz/codecmedia/internal/image/heif/HeifParser.java) to return codec-domain errors instead of runtime index failures on malformed inputs.
+- Added strict BMP `bitsPerPixel` validation in [`BmpParser.parse()`](src/main/java/me/tamkungz/codecmedia/internal/image/bmp/BmpParser.java) via [`BmpParser.isValidBitsPerPixel()`](src/main/java/me/tamkungz/codecmedia/internal/image/bmp/BmpParser.java), allowing only spec-valid values (`1`, `2`, `4`, `8`, `16`, `24`, `32`).
+- Added defensive TIFF IFD entry-count bounds validation in [`TiffParser.parse()`](src/main/java/me/tamkungz/codecmedia/internal/image/tiff/TiffParser.java) to reject corrupt `entryCount` values that exceed available bytes.
+- Documented WebP probe bit-depth assumption in [`WebpParser`](src/main/java/me/tamkungz/codecmedia/internal/image/webp/WebpParser.java) with explicit constant [`ASSUMED_WEBP_BIT_DEPTH`](src/main/java/me/tamkungz/codecmedia/internal/image/webp/WebpParser.java), applied consistently across `VP8`, `VP8L`, and `VP8X` parsing.
+
+### Verified
+- Confirmed compile stability after PNG/JPEG/HEIF/BMP/TIFF/WebP parser hardening with `mvn -q -DskipTests compile`.
+
 ## [1.1.2] - 2026-03-15
 
 ### Added
diff --git a/README.md b/README.md
@@ -1,6 +1,7 @@
 # CodecMedia
 
 [![MvnRepository](https://badges.mvnrepository.com/badge/me.tamkungz.codecmedia/codecmedia/badge.svg?label=MvnRepository)](https://mvnrepository.com/artifact/me.tamkungz.codecmedia/codecmedia)
+[![Sonatype Central](https://img.shields.io/badge/Sonatype%20Central-codecmedia-1f6feb)](https://central.sonatype.com/artifact/me.tamkungz.codecmedia/codecmedia)
 [![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
 [![Java](https://img.shields.io/badge/Java-17%2B-ED8B00?logo=openjdk&logoColor=white)](https://openjdk.org/)
 [![Maven](https://img.shields.io/badge/Maven-3.9%2B-C71A36?logo=apachemaven&logoColor=white)](https://maven.apache.org/)
@@ -63,6 +64,8 @@ CodecMedia is a Java library for media probing, validation, metadata sidecar per
 - Audio-to-audio conversion is not implemented yet for real transcode cases (for example `mp3 -> ogg`).
 - The only temporary audio conversion path is a stub `wav <-> pcm` route.
 - Container/unknown conversion routes are intentionally unsupported unless explicitly mapped by the conversion route resolver.
+- TIFF probe currently reads the **first IFD/image** only (multi-page TIFF traversal is not implemented in probe mode).
+- WebP probe currently reports `bitDepth` as an assumed default (`8`) for `VP8`/`VP8L`/`VP8X` unless deeper profile metadata parsing is added.
 - For OpenAL workflows that require OGG from MP3 input, use an external transcoder first (for example ffmpeg), then play the produced OGG.
 
 ## Requirements
diff --git a/pom.xml b/pom.xml
@@ -7,7 +7,7 @@
 
   <groupId>me.tamkungz.codecmedia</groupId>
   <artifactId>codecmedia</artifactId>
-  <version>1.1.2</version>
+  <version>1.1.3</version>
   <packaging>jar</packaging>
 
   <name>CodecMedia</name>
diff --git a/src/main/java/me/tamkungz/codecmedia/internal/image/bmp/BmpParser.java b/src/main/java/me/tamkungz/codecmedia/internal/image/bmp/BmpParser.java
@@ -39,13 +39,23 @@ public static BmpProbeInfo parse(byte[] bytes) throws CodecMediaException {
         if (width <= 0 || height <= 0) {
             throw new CodecMediaException("BMP has invalid dimensions");
         }
-        if (bitsPerPixel <= 0) {
-            throw new CodecMediaException("BMP has invalid bits-per-pixel");
+        if (!isValidBitsPerPixel(bitsPerPixel)) {
+            throw new CodecMediaException("BMP has invalid bits-per-pixel: " + bitsPerPixel);
         }
 
         return new BmpProbeInfo(width, height, bitsPerPixel);
     }
 
+    private static boolean isValidBitsPerPixel(int bitsPerPixel) {
+        return bitsPerPixel == 1
+                || bitsPerPixel == 2
+                || bitsPerPixel == 4
+                || bitsPerPixel == 8
+                || bitsPerPixel == 16
+                || bitsPerPixel == 24
+                || bitsPerPixel == 32;
+    }
+
     private static int readU16LE(byte[] bytes, int offset) throws CodecMediaException {
         if (offset + 2 > bytes.length) {
             throw new CodecMediaException("Unexpected end of BMP data");
diff --git a/src/main/java/me/tamkungz/codecmedia/internal/image/heif/HeifParser.java b/src/main/java/me/tamkungz/codecmedia/internal/image/heif/HeifParser.java
@@ -6,6 +6,8 @@
 
 public final class HeifParser {
 
+    private static final int FULL_BOX_HEADER_SIZE = 4;
+
     private HeifParser() {
     }
 
@@ -47,18 +49,20 @@ private static String readAscii(byte[] bytes, int offset, int length) {
         return new String(bytes, offset, length, StandardCharsets.US_ASCII);
     }
 
-    private static Integer extractIspeWidth(BoxData ispe) {
+    private static Integer extractIspeWidth(BoxData ispe) throws CodecMediaException {
         if (ispe == null || ispe.payloadOffset() + 12 > ispe.boxEnd()) {
             return null;
         }
+        // ispe is a FullBox: [version(1) + flags(3)] + width(4) + height(4)
         int width = readBeInt(ispe.bytes(), ispe.payloadOffset() + 4);
         return width > 0 ? width : null;
     }
 
-    private static Integer extractIspeHeight(BoxData ispe) {
+    private static Integer extractIspeHeight(BoxData ispe) throws CodecMediaException {
         if (ispe == null || ispe.payloadOffset() + 12 > ispe.boxEnd()) {
             return null;
         }
+        // ispe is a FullBox: [version(1) + flags(3)] + width(4) + height(4)
         int height = readBeInt(ispe.bytes(), ispe.payloadOffset() + 8);
         return height > 0 ? height : null;
     }
@@ -69,16 +73,17 @@ private static Integer extractPixiBitDepth(BoxData pixi) {
         }
         byte[] bytes = pixi.bytes();
         int payloadOffset = pixi.payloadOffset();
-        if (payloadOffset + 1 > pixi.boxEnd()) {
+        int dataOffset = payloadOffset + FULL_BOX_HEADER_SIZE;
+        if (dataOffset + 1 > pixi.boxEnd()) {
             return null;
         }
-        int channelCount = bytes[payloadOffset] & 0xFF;
-        if (channelCount <= 0 || payloadOffset + 1 + channelCount > pixi.boxEnd()) {
+        int channelCount = bytes[dataOffset] & 0xFF;
+        if (channelCount <= 0 || dataOffset + 1 + channelCount > pixi.boxEnd()) {
             return null;
         }
         int minDepth = Integer.MAX_VALUE;
         for (int i = 0; i < channelCount; i++) {
-            int depth = bytes[payloadOffset + 1 + i] & 0xFF;
+            int depth = bytes[dataOffset + 1 + i] & 0xFF;
             if (depth > 0 && depth < minDepth) {
                 minDepth = depth;
             }
@@ -204,9 +209,6 @@ private static boolean isContainerType(String type) {
                 || "ilst".equals(type)
                 || "tref".equals(type)
                 || "mfra".equals(type)
-                || "skip".equals(type)
-                || "free".equals(type)
-                || "mdat".equals(type)
                 || "jp2h".equals(type)
                 || "res ".equals(type)
                 || "uuid".equals(type)
@@ -244,7 +246,10 @@ private static long readU64AsLong(byte[] bytes, int offset) {
                 | (bytes[offset + 7] & 0xFFL);
     }
 
-    private static int readBeInt(byte[] bytes, int offset) {
+    private static int readBeInt(byte[] bytes, int offset) throws CodecMediaException {
+        if (offset < 0 || offset + 4 > bytes.length) {
+            throw new CodecMediaException("Unexpected end of HEIF data");
+        }
         return ((bytes[offset] & 0xFF) << 24)
                 | ((bytes[offset + 1] & 0xFF) << 16)
                 | ((bytes[offset + 2] & 0xFF) << 8)
diff --git a/src/main/java/me/tamkungz/codecmedia/internal/image/jpeg/JpegParser.java b/src/main/java/me/tamkungz/codecmedia/internal/image/jpeg/JpegParser.java
@@ -8,7 +8,7 @@ private JpegParser() {
     }
 
     public static boolean isLikelyJpeg(byte[] bytes) {
-        return bytes.length >= 4
+        return bytes.length >= 3
                 && (bytes[0] & 0xFF) == 0xFF
                 && (bytes[1] & 0xFF) == 0xD8
                 && (bytes[2] & 0xFF) == 0xFF;
@@ -21,12 +21,19 @@ public static JpegProbeInfo parse(byte[] bytes) throws CodecMediaException {
 
         int pos = 2; // after SOI
         while (pos + 4 <= bytes.length) {
-            if ((bytes[pos] & 0xFF) != 0xFF) {
+            int markerPrefixStart = pos;
+            while (pos < bytes.length && (bytes[pos] & 0xFF) == 0xFF) {
+                pos++; // skip marker prefix + fill bytes between markers
+            }
+            if (pos == markerPrefixStart) {
                 throw new CodecMediaException("Invalid JPEG marker alignment");
             }
+            if (pos >= bytes.length) {
+                throw new CodecMediaException("Unexpected end of JPEG while reading marker");
+            }
 
-            int marker = bytes[pos + 1] & 0xFF;
-            pos += 2;
+            int marker = bytes[pos] & 0xFF;
+            pos++;
 
             if (marker == 0xD9 || marker == 0xDA) {
                 break; // EOI or SOS; no frame header found yet
@@ -60,8 +67,14 @@ public static JpegProbeInfo parse(byte[] bytes) throws CodecMediaException {
                 int width = readBeShort(bytes, segmentDataStart + 3);
                 int channels = bytes[segmentDataStart + 5] & 0xFF;
 
-                if (width <= 0 || height <= 0 || channels <= 0) {
-                    throw new CodecMediaException("JPEG has invalid dimensions/components");
+                if (width <= 0 || height <= 0) {
+                    throw new CodecMediaException("JPEG has invalid dimensions");
+                }
+                if (!isValidBitsPerSample(bitsPerSample)) {
+                    throw new CodecMediaException("Invalid JPEG bit precision: " + bitsPerSample);
+                }
+                if (!isValidChannels(channels)) {
+                    throw new CodecMediaException("Invalid JPEG component count: " + channels);
                 }
                 return new JpegProbeInfo(width, height, bitsPerSample, channels);
             }
@@ -79,6 +92,14 @@ private static int readBeShort(byte[] bytes, int offset) throws CodecMediaExcept
         return ((bytes[offset] & 0xFF) << 8) | (bytes[offset + 1] & 0xFF);
     }
 
+    private static boolean isValidBitsPerSample(int bitsPerSample) {
+        return bitsPerSample == 8 || bitsPerSample == 12;
+    }
+
+    private static boolean isValidChannels(int channels) {
+        return channels == 1 || channels == 3 || channels == 4;
+    }
+
     private static boolean isSofMarker(int marker) {
         return marker == 0xC0 || marker == 0xC1 || marker == 0xC2
                 || marker == 0xC3 || marker == 0xC5 || marker == 0xC6
diff --git a/src/main/java/me/tamkungz/codecmedia/internal/image/png/PngParser.java b/src/main/java/me/tamkungz/codecmedia/internal/image/png/PngParser.java
@@ -50,10 +50,24 @@ public static PngProbeInfo parse(byte[] bytes) throws CodecMediaException {
         if (width <= 0 || height <= 0) {
             throw new CodecMediaException("PNG has invalid dimensions");
         }
+        if (!isValidBitDepth(bitDepth)) {
+            throw new CodecMediaException("PNG has invalid bit depth: " + bitDepth);
+        }
+        if (!isValidColorType(colorType)) {
+            throw new CodecMediaException("PNG has invalid color type: " + colorType);
+        }
 
         return new PngProbeInfo(width, height, bitDepth, colorType);
     }
 
+    private static boolean isValidBitDepth(int bitDepth) {
+        return bitDepth == 1 || bitDepth == 2 || bitDepth == 4 || bitDepth == 8 || bitDepth == 16;
+    }
+
+    private static boolean isValidColorType(int colorType) {
+        return colorType == 0 || colorType == 2 || colorType == 3 || colorType == 4 || colorType == 6;
+    }
+
     private static int readBeInt(byte[] bytes, int offset) throws CodecMediaException {
         if (offset + 4 > bytes.length) {
             throw new CodecMediaException("Unexpected end of PNG data");
diff --git a/src/main/java/me/tamkungz/codecmedia/internal/image/tiff/TiffParser.java b/src/main/java/me/tamkungz/codecmedia/internal/image/tiff/TiffParser.java
@@ -26,6 +26,11 @@ public static TiffProbeInfo parse(byte[] bytes) throws CodecMediaException {
 
         int entryCount = readU16(bytes, ifdOffset, littleEndian);
         int pos = ifdOffset + 2;
+        int maxEntries = (bytes.length - pos) / 12;
+        if (entryCount > maxEntries) {
+            throw new CodecMediaException("TIFF IFD entry count exceeds available data");
+        }
+
         Integer width = null;
         Integer height = null;
         Integer bitDepth = null;
diff --git a/src/main/java/me/tamkungz/codecmedia/internal/image/webp/WebpParser.java b/src/main/java/me/tamkungz/codecmedia/internal/image/webp/WebpParser.java
@@ -4,6 +4,9 @@
 
 public final class WebpParser {
 
+    // Probe-level default: WebP variants are reported as 8-bit unless deeper bit-depth metadata is parsed.
+    private static final int ASSUMED_WEBP_BIT_DEPTH = 8;
+
     private WebpParser() {
     }
 
@@ -36,7 +39,7 @@ private static WebpProbeInfo parseVp8X(byte[] bytes) throws CodecMediaException
         }
         int widthMinus1 = (bytes[24] & 0xFF) | ((bytes[25] & 0xFF) << 8) | ((bytes[26] & 0xFF) << 16);
         int heightMinus1 = (bytes[27] & 0xFF) | ((bytes[28] & 0xFF) << 8) | ((bytes[29] & 0xFF) << 16);
-        return ensurePositive(widthMinus1 + 1, heightMinus1 + 1, 8, "VP8X");
+        return ensurePositive(widthMinus1 + 1, heightMinus1 + 1, ASSUMED_WEBP_BIT_DEPTH, "VP8X");
     }
 
     private static WebpProbeInfo parseVp8L(byte[] bytes) throws CodecMediaException {
@@ -52,7 +55,7 @@ private static WebpProbeInfo parseVp8L(byte[] bytes) throws CodecMediaException
         int b4 = bytes[24] & 0xFF;
         int widthMinus1 = b1 | ((b2 & 0x3F) << 8);
         int heightMinus1 = ((b2 >> 6) & 0x03) | (b3 << 2) | ((b4 & 0x0F) << 10);
-        return ensurePositive(widthMinus1 + 1, heightMinus1 + 1, 8, "VP8L");
+        return ensurePositive(widthMinus1 + 1, heightMinus1 + 1, ASSUMED_WEBP_BIT_DEPTH, "VP8L");
     }
 
     private static WebpProbeInfo parseVp8(byte[] bytes) throws CodecMediaException {
@@ -64,7 +67,7 @@ private static WebpProbeInfo parseVp8(byte[] bytes) throws CodecMediaException {
         }
         int width = ((bytes[27] & 0x3F) << 8) | (bytes[26] & 0xFF);
         int height = ((bytes[29] & 0x3F) << 8) | (bytes[28] & 0xFF);
-        return ensurePositive(width, height, 8, "VP8");
+        return ensurePositive(width, height, ASSUMED_WEBP_BIT_DEPTH, "VP8");
     }
 
     private static String fourcc(byte[] bytes, int offset) throws CodecMediaException {

Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,9 @@`
`4`	`4`
`5`	`5`	`public final class WebpParser {`
`6`	`6`
	`7`	`+ // Probe-level default: WebP variants are reported as 8-bit unless deeper bit-depth metadata is parsed.`
	`8`	`+ private static final int ASSUMED_WEBP_BIT_DEPTH = 8;`
	`9`	`+`
`7`	`10`	`private WebpParser() {`
`8`	`11`	`}`
`9`	`12`
`@@ -36,7 +39,7 @@ private static WebpProbeInfo parseVp8X(byte[] bytes) throws CodecMediaException`
`36`	`39`	`}`
`37`	`40`	`int widthMinus1 = (bytes[24] & 0xFF) \| ((bytes[25] & 0xFF) << 8) \| ((bytes[26] & 0xFF) << 16);`
`38`	`41`	`int heightMinus1 = (bytes[27] & 0xFF) \| ((bytes[28] & 0xFF) << 8) \| ((bytes[29] & 0xFF) << 16);`
`39`		`- return ensurePositive(widthMinus1 + 1, heightMinus1 + 1, 8, "VP8X");`
	`42`	`+ return ensurePositive(widthMinus1 + 1, heightMinus1 + 1, ASSUMED_WEBP_BIT_DEPTH, "VP8X");`
`40`	`43`	`}`
`41`	`44`
`42`	`45`	`private static WebpProbeInfo parseVp8L(byte[] bytes) throws CodecMediaException {`
`@@ -52,7 +55,7 @@ private static WebpProbeInfo parseVp8L(byte[] bytes) throws CodecMediaException`
`52`	`55`	`int b4 = bytes[24] & 0xFF;`
`53`	`56`	`int widthMinus1 = b1 \| ((b2 & 0x3F) << 8);`
`54`	`57`	`int heightMinus1 = ((b2 >> 6) & 0x03) \| (b3 << 2) \| ((b4 & 0x0F) << 10);`
`55`		`- return ensurePositive(widthMinus1 + 1, heightMinus1 + 1, 8, "VP8L");`
	`58`	`+ return ensurePositive(widthMinus1 + 1, heightMinus1 + 1, ASSUMED_WEBP_BIT_DEPTH, "VP8L");`
`56`	`59`	`}`
`57`	`60`
`58`	`61`	`private static WebpProbeInfo parseVp8(byte[] bytes) throws CodecMediaException {`
`@@ -64,7 +67,7 @@ private static WebpProbeInfo parseVp8(byte[] bytes) throws CodecMediaException {`
`64`	`67`	`}`
`65`	`68`	`int width = ((bytes[27] & 0x3F) << 8) \| (bytes[26] & 0xFF);`
`66`	`69`	`int height = ((bytes[29] & 0x3F) << 8) \| (bytes[28] & 0xFF);`
`67`		`- return ensurePositive(width, height, 8, "VP8");`
	`70`	`+ return ensurePositive(width, height, ASSUMED_WEBP_BIT_DEPTH, "VP8");`
`68`	`71`	`}`
`69`	`72`
`70`	`73`	`private static String fourcc(byte[] bytes, int offset) throws CodecMediaException {`