lodepng: Set hard limit for image buffer size at 4GiB

hpjansson · Jul 3, 2022 · c9a893d · c9a893d
1 parent 3836c0e
commit c9a893d
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/lodepng/lodepng.c b/lodepng/lodepng.c
@@ -4975,16 +4975,30 @@ static void decodeGeneric(unsigned char** out, unsigned* w, unsigned* h,
       expected_size += lodepng_get_raw_size_idat((*w + 0), (*h + 0) >> 1, bpp);
     }
 
+    if(expected_size > LODEPNG_IMAGE_DATA_SIZE_MAX) {
+      state->error = 114;
+    }
+  }
+
+  if (!state->error) {
     state->error = zlib_decompress(&scanlines, &scanlines_size, expected_size, idat, idatsize, &state->decoder.zlibsettings);
   }
+
   if(!state->error && scanlines_size != expected_size) state->error = 91; /*decompressed size doesn't match prediction*/
   lodepng_free(idat);
 
   if(!state->error) {
     outsize = lodepng_get_raw_size(*w, *h, &state->info_png.color);
+    if (outsize > LODEPNG_IMAGE_DATA_SIZE_MAX) {
+      state->error = 114;
+    }
+  }
+
+  if(!state->error) {
     *out = (unsigned char*)lodepng_malloc(outsize);
     if(!*out) state->error = 83; /*alloc fail*/
   }
+
   if(!state->error) {
     lodepng_memset(*out, 0, outsize);
     state->error = postProcessScanlines(*out, scanlines, *w, *h, &state->info_png);
@@ -6302,6 +6316,8 @@ const char* lodepng_error_text(unsigned code) {
     /*max ICC size limit can be configured in LodePNGDecoderSettings. This error prevents
     unreasonable memory consumption when decoding due to impossibly large ICC profile*/
     case 113: return "ICC profile unreasonably large";
+    /*max size of an in-memory image buffer*/
+    case 114: return "image data unreasonably large";
   }
   return "unknown error code";
 }

diff --git a/lodepng/lodepng.h b/lodepng/lodepng.h
@@ -30,6 +30,10 @@ freely, subject to the following restrictions:
 
 extern const char* LODEPNG_VERSION_STRING;
 
+/*Hard upper limit on size of an uncompressed in-memory image buffer. The
+total memory consumption may be higher, e.g. during postProcessScanlines().*/
+#define LODEPNG_IMAGE_DATA_SIZE_MAX 0xffffffffU
+
 /*
 The following #defines are used to create code sections. They can be disabled
 to disable code sections, which can give faster compile time and smaller binary.