changeset 1180:e02128d96c8a release-2_1

Added image size sanity checks
author Jorge Arellano Cid <jcid@dillo.org>
date Fri, 19 Jun 2009 19:07:47 -0400
parents efaf6ebe0fed
children fb0cc25ed087
files src/gif.c src/jpeg.c src/png.c
diffstat 3 files changed, 21 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/src/gif.c	Fri Jun 19 13:12:16 2009 -0400
+++ b/src/gif.c	Fri Jun 19 19:07:47 2009 -0400
@@ -812,6 +812,15 @@
 
    gif->Width   = LM_to_uint(buf[4], buf[5]);
    gif->Height  = LM_to_uint(buf[6], buf[7]);
+
+   /* check max image size */
+   if (gif->Width * gif->Height > IMAGE_MAX_W * IMAGE_MAX_H) {
+      MSG("Gif_do_img_desc: suspicious image size request %ux%u\n",
+          gif->Width, gif->Height);
+      gif->state = 999;
+      return 0;
+   }
+
    gif->linebuf = dMalloc(gif->Width);
 
    a_Dicache_set_parms(gif->url, gif->version, gif->Image,
--- a/src/jpeg.c	Fri Jun 19 13:12:16 2009 -0400
+++ b/src/jpeg.c	Fri Jun 19 19:07:47 2009 -0400
@@ -279,6 +279,16 @@
              !(a_Capi_get_flags(jpeg->url) & CAPI_Completed))
             jpeg->cinfo.buffered_image = TRUE;
 
+         /* check max image size */
+         if ((uint_t)jpeg->cinfo.image_width *
+             (uint_t)jpeg->cinfo.image_height  > IMAGE_MAX_W * IMAGE_MAX_H) {
+            MSG("Jpeg_write: suspicious image size request %ux%u\n",
+                (uint_t)jpeg->cinfo.image_width,
+                (uint_t)jpeg->cinfo.image_height);
+            jpeg->state = DILLO_JPEG_ERROR;
+            return;
+         }
+
          a_Dicache_set_parms(jpeg->url, jpeg->version, jpeg->Image,
                              (uint_t)jpeg->cinfo.image_width,
                              (uint_t)jpeg->cinfo.image_height,
--- a/src/png.c	Fri Jun 19 13:12:16 2009 -0400
+++ b/src/png.c	Fri Jun 19 19:07:47 2009 -0400
@@ -137,6 +137,8 @@
 
    png_get_IHDR(png_ptr, info_ptr, &png->width, &png->height,
                 &bit_depth, &color_type, &interlace_type, NULL, NULL);
+
+   /* check max image size */
    if (abs(png->width*png->height) > IMAGE_MAX_W * IMAGE_MAX_H) {
       MSG("Png_datainfo_callback: suspicious image size request %ldx%ld\n",
           png->width, png->height);