From c9a893d16ac7bc761a0a115667ad6fc1066c01a3 Mon Sep 17 00:00:00 2001 From: Hans Petter Jansson Date: Mon, 4 Jul 2022 00:17:49 +0200 Subject: [PATCH] lodepng: Set hard limit for image buffer size at 4GiB --- lodepng/lodepng.c | 16 ++++++++++++++++ lodepng/lodepng.h | 4 ++++ 2 files changed, 20 insertions(+) diff --git a/lodepng/lodepng.c b/lodepng/lodepng.c index c97d151c..78ffce82 100644 --- a/lodepng/lodepng.c +++ b/lodepng/lodepng.c @@ -4975,16 +4975,30 @@ static void decodeGeneric(unsigned char** out, unsigned* w, unsigned* h, expected_size += lodepng_get_raw_size_idat((*w + 0), (*h + 0) >> 1, bpp); } + if(expected_size > LODEPNG_IMAGE_DATA_SIZE_MAX) { + state->error = 114; + } + } + + if (!state->error) { state->error = zlib_decompress(&scanlines, &scanlines_size, expected_size, idat, idatsize, &state->decoder.zlibsettings); } + if(!state->error && scanlines_size != expected_size) state->error = 91; /*decompressed size doesn't match prediction*/ lodepng_free(idat); if(!state->error) { outsize = lodepng_get_raw_size(*w, *h, &state->info_png.color); + if (outsize > LODEPNG_IMAGE_DATA_SIZE_MAX) { + state->error = 114; + } + } + + if(!state->error) { *out = (unsigned char*)lodepng_malloc(outsize); if(!*out) state->error = 83; /*alloc fail*/ } + if(!state->error) { lodepng_memset(*out, 0, outsize); state->error = postProcessScanlines(*out, scanlines, *w, *h, &state->info_png); @@ -6302,6 +6316,8 @@ const char* lodepng_error_text(unsigned code) { /*max ICC size limit can be configured in LodePNGDecoderSettings. This error prevents unreasonable memory consumption when decoding due to impossibly large ICC profile*/ case 113: return "ICC profile unreasonably large"; + /*max size of an in-memory image buffer*/ + case 114: return "image data unreasonably large"; } return "unknown error code"; } diff --git a/lodepng/lodepng.h b/lodepng/lodepng.h index 555a3d08..2a111e2e 100644 --- a/lodepng/lodepng.h +++ b/lodepng/lodepng.h @@ -30,6 +30,10 @@ freely, subject to the following restrictions: extern const char* LODEPNG_VERSION_STRING; +/*Hard upper limit on size of an uncompressed in-memory image buffer. The +total memory consumption may be higher, e.g. during postProcessScanlines().*/ +#define LODEPNG_IMAGE_DATA_SIZE_MAX 0xffffffffU + /* The following #defines are used to create code sections. They can be disabled to disable code sections, which can give faster compile time and smaller binary.