PSD: protect against corrupted embedded thumbnails (#3629)

src/psd.imageio/psdinput.cpp

@@ -1283,6 +1283,27 @@ PSDInput::load_resource_thumbnail(uint32_t length, bool isBGR)
     if (!ok)
         return false;
 
+    // Sanity checks
+    // Strutil::print("thumb h {} w {} bpp {} planes {} format {} widthbytes {} total_size {}\n",
+    //                height, width, bpp, planes, format, widthbytes, total_size);
+    if (bpp != 8 && bpp != 24) {
+        errorfmt(
+            "Thumbnail JPEG is {} bpp, not supported or possibly corrupt file",
+            bpp);
+        return false;
+    }
+    if ((bpp / 8) * width != widthbytes) {
+        errorfmt("Corrupt thumbnail: {}w * {}bpp does not match {} width bytes",
+                 width, bpp, widthbytes);
+        return false;
+    }
+    if (widthbytes * height * planes != total_size) {
+        errorfmt(
+            "Corrupt thumbnail: {}w * {}h * {}bpp does not match {} total_size",
+            width, height, bpp, total_size);
+        return false;
+    }
+
     // We only support kJpegRGB since I don't have any test images with
     // kRawRGB
     if (format != kJpegRGB || bpp != 24 || planes != 1) {

testsuite/psd/ref/out.txt

@@ -1068,3 +1068,7 @@ oiiotool ERROR: read : Failed to decode Exif data
 failed to open "src/crash-psd-exif-1632.psd": failed load_resources
 Full command line was:
 > oiiotool --info -v -a --hash src/crash-psd-exif-1632.psd
+oiiotool ERROR: read : Corrupt thumbnail: 262304w * 24bpp does not match 480 width bytes
+failed to open "src/crash-thumb-1626.psd": failed load_resources
+Full command line was:
+> oiiotool --info -v -a --hash src/crash-thumb-1626.psd

testsuite/psd/run.py

@@ -13,3 +13,5 @@
 
 # This file has a corrupted Exif block
 command += info_command ("src/crash-psd-exif-1632.psd", failureok = 1)
+# Corrupted thumbnail clobbered memory
+command += info_command ("src/crash-thumb-1626.psd", failureok = 1)