7058611: JPG parser bugs found via zzuf fuzzing

Reviewed-by: prr, vadim

jdk/src/share/classes/com/sun/imageio/plugins/jpeg/MarkerSegment.java

@@ -28,6 +28,7 @@ package com.sun.imageio.plugins.jpeg;
 import javax.imageio.metadata.IIOInvalidTreeException;
 import javax.imageio.metadata.IIOMetadataNode;
 import javax.imageio.stream.ImageOutputStream;
+import javax.imageio.IIOException;
 
 import java.io.IOException;
 
@@ -60,6 +61,10 @@ class MarkerSegment implements Cloneable {
         length = (buffer.buf[buffer.bufPtr++] & 0xff) << 8;
         length |= buffer.buf[buffer.bufPtr++] & 0xff;
         length -= 2;  // JPEG length includes itself, we don't
+
+        if (length < 0) {
+            throw new IIOException("Invalid segment length: " + length);
+        }
         buffer.bufAvail -= 3;
         // Now that we know the true length, ensure that we've got it,
         // or at least a bufferful if length is too big.

jdk/src/share/classes/com/sun/imageio/plugins/jpeg/SOFMarkerSegment.java

@@ -78,7 +78,7 @@ class SOFMarkerSegment extends MarkerSegment {
         numLines |= buffer.buf[buffer.bufPtr++] & 0xff;
         samplesPerLine = (buffer.buf[buffer.bufPtr++] & 0xff) << 8;
         samplesPerLine |= buffer.buf[buffer.bufPtr++] & 0xff;
-        int numComponents = buffer.buf[buffer.bufPtr++];
+        int numComponents = buffer.buf[buffer.bufPtr++] & 0xff;
         componentSpecs = new ComponentSpec [numComponents];
         for (int i = 0; i < numComponents; i++) {
             componentSpecs[i] = new ComponentSpec(buffer);