Fix a potential integer overflow bug in the JPEG and PNG loaders (Issue

#471) All images are now limited to 4GiB of memory usage (37837x37837 pixels).
michaelrsweet · Mar 10, 2022 · 31f7804 · 31f7804
1 parent cb4cdee
commit 31f7804
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 4 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -1,7 +1,8 @@
 # Changes in HTMLDOC v1.9.16
 
-- Updated the GUI interface for current display fonts.
+- Fixed a potential image overflow bug with JPEG and PNG images (Issue #471)
 - Fixed some minor Coverity warnings.
+- Updated the GUI interface for current display fonts.
 
 
 # Changes in HTMLDOC v1.9.15

diff --git a/htmldoc/image.cxx b/htmldoc/image.cxx
@@ -26,6 +26,13 @@ extern "C" {		/* Workaround for JPEG header problems... */
 #endif // HAVE_LIBPNG
 
 
+/*
+ * Limits...
+ */
+
+#define IMAGE_MAX_DIM	37837		// Maximum dimension - sqrt(4GiB / 3)
+
+
 /*
  * GIF definitions...
  */
@@ -926,7 +933,7 @@ image_load_bmp(image_t *img,	/* I - Image to load into */
   colors_used      = (int)read_dword(fp);
   read_dword(fp);
 
-  if (img->width <= 0 || img->width > 8192 || img->height <= 0 || img->height > 8192 || info_size < 0)
+  if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM || info_size < 0)
     return (-1);
 
   if (info_size > 40)
@@ -1278,7 +1285,7 @@ image_load_gif(image_t *img,	/* I - Image pointer */
   img->height = (buf[9] << 8) | buf[8];
   ncolors     = 2 << (buf[10] & 0x07);
 
-  if (img->width <= 0 || img->width > 32767 || img->height <= 0 || img->height > 32767)
+  if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM)
     return (-1);
 
   // If we are writing an encrypted PDF file, bump the use count so we create
@@ -1326,7 +1333,7 @@ image_load_gif(image_t *img,	/* I - Image pointer */
           img->height = (buf[7] << 8) | buf[6];
           img->depth  = gray ? 1 : 3;
 
-	  if (img->width <= 0 || img->width > 32767 || img->height <= 0 || img->height > 32767)
+	  if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM)
 	    return (-1);
 
           if (transparent >= 0)
@@ -1443,6 +1450,12 @@ JSAMPROW			row;		/* Sample row pointer */
   img->height = (int)cinfo.output_height;
   img->depth  = (int)cinfo.output_components;
 
+  if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM)
+  {
+    jpeg_destroy_decompress(&cinfo);
+    return (-1);
+  }
+
   if (!load_data)
   {
     jpeg_destroy_decompress(&cinfo);
@@ -1598,6 +1611,12 @@ image_load_png(image_t *img,	/* I - Image pointer */
   img->width  = (int)png_get_image_width(pp, info);
   img->height = (int)png_get_image_height(pp, info);
 
+  if (img->width <= 0 || img->width > IMAGE_MAX_DIM || img->height <= 0 || img->height > IMAGE_MAX_DIM)
+  {
+    png_destroy_read_struct(&pp, &info, NULL);
+    return (-1);
+  }
+
   if (color_type & PNG_COLOR_MASK_ALPHA)
   {
     if ((PSLevel == 0 && PDFVersion >= 14) || PSLevel == 3)