Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix a potential integer overflow bug in the JPEG and PNG loaders (Issue
#471)

All images are now limited to 4GiB of memory usage (37837x37837 pixels).
  • Loading branch information
michaelrsweet committed Mar 10, 2022
1 parent cb4cdee commit 31f7804
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 4 deletions.
3 changes: 2 additions & 1 deletion CHANGES.md
@@ -1,7 +1,8 @@
# Changes in HTMLDOC v1.9.16

- Updated the GUI interface for current display fonts.
- Fixed a potential image overflow bug with JPEG and PNG images (Issue #471)
- Fixed some minor Coverity warnings.
- Updated the GUI interface for current display fonts.


# Changes in HTMLDOC v1.9.15
Expand Down
25 changes: 22 additions & 3 deletions htmldoc/image.cxx
Expand Up @@ -26,6 +26,13 @@ extern "C" { /* Workaround for JPEG header problems... */
#endif // HAVE_LIBPNG


/*
* Limits...
*/

#define IMAGE_MAX_DIM 37837 // Maximum dimension - sqrt(4GiB / 3)


/*
* GIF definitions...
*/
Expand Down Expand Up @@ -926,7 +933,7 @@ image_load_bmp(image_t *img, /* I - Image to load into */
colors_used = (int)read_dword(fp);
read_dword(fp);

if (img->width <= 0 || img->width > 8192 || img->height <= 0 || img->height > 8192 || info_size < 0)
if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM || info_size < 0)
return (-1);

if (info_size > 40)
Expand Down Expand Up @@ -1278,7 +1285,7 @@ image_load_gif(image_t *img, /* I - Image pointer */
img->height = (buf[9] << 8) | buf[8];
ncolors = 2 << (buf[10] & 0x07);

if (img->width <= 0 || img->width > 32767 || img->height <= 0 || img->height > 32767)
if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM)
return (-1);

// If we are writing an encrypted PDF file, bump the use count so we create
Expand Down Expand Up @@ -1326,7 +1333,7 @@ image_load_gif(image_t *img, /* I - Image pointer */
img->height = (buf[7] << 8) | buf[6];
img->depth = gray ? 1 : 3;

if (img->width <= 0 || img->width > 32767 || img->height <= 0 || img->height > 32767)
if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM)
return (-1);

if (transparent >= 0)
Expand Down Expand Up @@ -1443,6 +1450,12 @@ JSAMPROW row; /* Sample row pointer */
img->height = (int)cinfo.output_height;
img->depth = (int)cinfo.output_components;

if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM)
{
jpeg_destroy_decompress(&cinfo);
return (-1);
}

if (!load_data)
{
jpeg_destroy_decompress(&cinfo);
Expand Down Expand Up @@ -1598,6 +1611,12 @@ image_load_png(image_t *img, /* I - Image pointer */
img->width = (int)png_get_image_width(pp, info);
img->height = (int)png_get_image_height(pp, info);

if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM)
{
png_destroy_read_struct(&pp, &info, NULL);
return (-1);
}

if (color_type & PNG_COLOR_MASK_ALPHA)
{
if ((PSLevel == 0 && PDFVersion >= 14) || PSLevel == 3)
Expand Down

0 comments on commit 31f7804

Please sign in to comment.