From c0aa455f7621663673b58b9674c493e5ce00371d Mon Sep 17 00:00:00 2001
From: Andreas Kling <kling@serenityos.org>
Date: Fri, 13 Nov 2020 11:37:10 +0100
Subject: [PATCH] LibGfx: Refuse to decode PNG images with geometry outside i32
 bounds

Just fail the decode immediately when encountering an IHDR chunk with
width and/or height larger than the maximum i32 value.

Fixes #3818.
Fixes #3819.
---
 Libraries/LibGfx/PNGLoader.cpp | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/Libraries/LibGfx/PNGLoader.cpp b/Libraries/LibGfx/PNGLoader.cpp
index 320787e5f7..f0f382ea86 100644
--- a/Libraries/LibGfx/PNGLoader.cpp
+++ b/Libraries/LibGfx/PNGLoader.cpp
@@ -743,6 +743,9 @@ static bool decode_png_bitmap(PNGLoadingContext& context)
     if (context.state >= PNGLoadingContext::State::BitmapDecoded)
         return true;
 
+    ASSERT(context.width >= 0);
+    ASSERT(context.height >= 0);
+
     unsigned long srclen = context.compressed_data.size() - 6;
     unsigned long destlen = 0;
     int ret = puff(nullptr, &destlen, context.compressed_data.data() + 2, &srclen);
@@ -806,6 +809,12 @@ static bool process_IHDR(const ByteBuffer& data, PNGLoadingContext& context)
     if (data.size() < (int)sizeof(PNG_IHDR))
         return false;
     auto& ihdr = *(const PNG_IHDR*)data.data();
+
+    if (ihdr.width > NumericLimits<i32>::max() || ihdr.height > NumericLimits<i32>::max()) {
+        dbgln("PNG has invalid geometry {}x{}", (u32)ihdr.width, (u32)ihdr.height);
+        return false;
+    }
+
     context.width = ihdr.width;
     context.height = ihdr.height;
     context.bit_depth = ihdr.bit_depth;