RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-25 18:35:09 +00:00
Code Issues Activity Actions

LibGfx: Refuse to decode PNG images with geometry outside i32 bounds

Browse source 
Just fail the decode immediately when encountering an IHDR chunk with
width and/or height larger than the maximum i32 value.

Fixes #3818.
Fixes #3819.
This commit is contained in:
Andreas Kling 2020-11-13 11:37:10 +01:00
parent ddc5ce1800
commit c0aa455f76
1 changed files with 9 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

9
Libraries/LibGfx/PNGLoader.cpp
View file

@ -743,6 +743,9 @@ static bool decode_png_bitmap(PNGLoadingContext& context)
if (context.state >= PNGLoadingContext::State::BitmapDecoded) if (context.state >= PNGLoadingContext::State::BitmapDecoded)
return true; return true;
ASSERT(context.width >= 0);
ASSERT(context.height >= 0);
unsigned long srclen = context.compressed_data.size() - 6; unsigned long srclen = context.compressed_data.size() - 6;
unsigned long destlen = 0; unsigned long destlen = 0;
int ret = puff(nullptr, &destlen, context.compressed_data.data() + 2, &srclen); int ret = puff(nullptr, &destlen, context.compressed_data.data() + 2, &srclen);
@ -806,6 +809,12 @@ static bool process_IHDR(const ByteBuffer& data, PNGLoadingContext& context)
if (data.size() < (int)sizeof(PNG_IHDR)) if (data.size() < (int)sizeof(PNG_IHDR))
return false; return false;
auto& ihdr = *(const PNG_IHDR*)data.data(); auto& ihdr = *(const PNG_IHDR*)data.data();
if (ihdr.width > NumericLimits<i32>::max() || ihdr.height > NumericLimits<i32>::max()) {
dbgln("PNG has invalid geometry {}x{}", (u32)ihdr.width, (u32)ihdr.height);
return false;
}
context.width = ihdr.width; context.width = ihdr.width;
context.height = ihdr.height; context.height = ihdr.height;
context.bit_depth = ihdr.bit_depth; context.bit_depth = ihdr.bit_depth;