Add checks for decompression bombs

YahooArchive · Sep 14, 2015 · 2c424fd · 2c424fd
1 parent 05e2153
commit 2c424fd
Showing 1 changed file with 32 additions and 0 deletions.
diff --git a/lib/png/chunks/IHDR.js b/lib/png/chunks/IHDR.js
@@ -424,6 +424,17 @@ module.exports = {
 	},
 
 
+	/**
+	 * Gets the dimensions of the image
+	 *
+	 * @method getDimensions
+	 * @return {int}
+	 */
+	getDimensions: function () {
+		return this.getWidth() * this.getHeight();
+	},
+
+
 	/**
 	 * Parsing of chunk data
 	 *
@@ -437,6 +448,8 @@ module.exports = {
 	 */
 	parse: function (stream, length, strict, options) {
 
+		var maxWidth, maxHeight, maxDim, maxSize;
+
 		// Validation
 		if ((strict && (length !== 13)) || (length < 13)) {
 			throw new Error('Invalid length of header. Length: ' + length);
@@ -471,6 +484,25 @@ module.exports = {
 		if ((this._colorType === colorTypes.TRUE_COLOR_ALPHA) && ([8, 16].indexOf(this._bitDepth) === -1)) {
 			throw new Error('Header error: Unsupported bit-depth for TrueColor with alpha-channel images.');
 		}
+
+		// Check for de-compression bombs
+		maxWidth = (options.maxWidth !== undefined) ? options.maxWidth : 2000;
+		if ((maxWidth !== 0) && (this.width > maxWidth)) {
+			throw new Error('Image width is larger than allowed.');
+		}
+		maxHeight = (options.maxWidth !== undefined) ? options.maxWidth : 2000;
+		if ((maxHeight !== 0) && (this.height > maxHeight)) {
+			throw new Error('Image height is larger than allowed.');
+		}
+		maxDim = (options.maxWidth !== undefined) ? options.maxWidth : 2000 * 2000;
+		if ((maxDim !== 0) && (this.getDimensions() > maxDim)) {
+			throw new Error('Image resolution is larger than allowed.');
+		}
+
+		maxSize = (options.maxSize !== undefined) ? options.maxSize : 16 * 1024 * 1024;
+		if ((maxSize !== 0) && (this.getImageSizeInBytes() > maxSize)) {
+			throw new Error('Image size in byte is greater than allowed.');
+		}
 	},
 
 	/**