From 068615fe5e25ff763d84262c615ab4c1f178a708 Mon Sep 17 00:00:00 2001
From: Andreas Kling <kling@serenityos.org>
Date: Wed, 23 Dec 2020 15:44:54 +0100
Subject: [PATCH] LibGfx: Reject PNG files with invalid filter/interlace
 methods

Might as well reject these when parsing the IHDR chunk instead of
continuing to load something invalid.
---
 Libraries/LibGfx/PNGLoader.cpp | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/Libraries/LibGfx/PNGLoader.cpp b/Libraries/LibGfx/PNGLoader.cpp
index 02a3391ebe..a03fafb1d6 100644
--- a/Libraries/LibGfx/PNGLoader.cpp
+++ b/Libraries/LibGfx/PNGLoader.cpp
@@ -818,6 +818,16 @@ static RefPtr<Gfx::Bitmap> load_png_impl(const u8* data, size_t data_size)
     return context.bitmap;
 }
 
+static bool is_valid_compression_method(u8 compression_method)
+{
+    return compression_method == 0;
+}
+
+static bool is_valid_filter_method(u8 filter_method)
+{
+    return filter_method <= 4;
+}
+
 static bool process_IHDR(ReadonlyBytes data, PNGLoadingContext& context)
 {
     if (data.size() < (int)sizeof(PNG_IHDR))
@@ -829,6 +839,16 @@ static bool process_IHDR(ReadonlyBytes data, PNGLoadingContext& context)
         return false;
     }
 
+    if (!is_valid_compression_method(ihdr.compression_method)) {
+        dbgln("PNG has invalid compression method {}", ihdr.compression_method);
+        return false;
+    }
+
+    if (!is_valid_filter_method(ihdr.filter_method)) {
+        dbgln("PNG has invalid filter method {}", ihdr.filter_method);
+        return false;
+    }
+
     context.width = ihdr.width;
     context.height = ihdr.height;
     context.bit_depth = ihdr.bit_depth;