Mercurial > dillo_port1.3
changeset 1178:97b68213b58e
Added a limit for PNG image size
| author | Jorge Arellano Cid <jcid@dillo.org> |
|---|---|
| date | Fri, 19 Jun 2009 13:11:36 -0400 |
| parents | 7ac828844742 |
| children | efaf6ebe0fed |
| files | src/html.cc src/image.hh src/png.c |
| diffstat | 3 files changed, 20 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/src/html.cc Wed Jun 17 14:18:13 2009 -0400 +++ b/src/html.cc Fri Jun 19 13:11:36 2009 -0400 @@ -1953,8 +1953,6 @@ DilloImage *a_Html_image_new(DilloHtml *html, const char *tag, int tagsize, DilloUrl *url) { - const int MAX_W = 6000, MAX_H = 6000; - DilloImage *Image; char *width_ptr, *height_ptr, *alt_ptr; const char *attrbuf; @@ -1987,7 +1985,7 @@ h = (int) (CSS_LENGTH_TYPE(l_h) == CSS_LENGTH_TYPE_PX ? CSS_LENGTH_VALUE(l_h) : 0); } - if (w < 0 || h < 0 || abs(w*h) > MAX_W * MAX_H) { + if (w < 0 || h < 0 || abs(w*h) > IMAGE_MAX_W * IMAGE_MAX_H) { dFree(width_ptr); dFree(height_ptr); width_ptr = height_ptr = NULL;
--- a/src/image.hh Wed Jun 17 14:18:13 2009 -0400 +++ b/src/image.hh Fri Jun 19 13:11:36 2009 -0400 @@ -12,6 +12,19 @@ #include "bitvec.h" #include "url.h" +/* + * Defines + */ + +/* Arbitrary maximum for image size (to avoid image size-crafting attacks). */ +#define IMAGE_MAX_W 6000 +#define IMAGE_MAX_H 6000 + + +/* + * Types + */ + typedef struct _DilloImage DilloImage; typedef enum {
--- a/src/png.c Wed Jun 17 14:18:13 2009 -0400 +++ b/src/png.c Fri Jun 19 13:11:36 2009 -0400 @@ -137,6 +137,12 @@ png_get_IHDR(png_ptr, info_ptr, &png->width, &png->height, &bit_depth, &color_type, &interlace_type, NULL, NULL); + if (abs(png->width*png->height) > IMAGE_MAX_W * IMAGE_MAX_H) { + MSG("Png_datainfo_callback: suspicious image size request %ldx%ld\n", + png->width, png->height); + Png_error_handling(png_ptr, "Aborting..."); + return; /* not reached */ + } _MSG("Png_datainfo_callback: png->width = %ld\n" "Png_datainfo_callback: png->height = %ld\n",