Added a limit for PNG image size

3 files changed, 20 insertions, 3 deletions

diff --git a/src/html.cc b/src/html.cc
index 18bb34a9..86e5fe97 100644
--- a/src/html.cc
+++ b/src/html.cc
@@ -1953,8 +1953,6 @@ static void Html_tag_open_address(DilloHtml *html,
 DilloImage *a_Html_image_new(DilloHtml *html, const char *tag,
                              int tagsize, DilloUrl *url)
 {
-   const int MAX_W = 6000, MAX_H = 6000;
-
    DilloImage *Image;
    char *width_ptr, *height_ptr, *alt_ptr;
    const char *attrbuf;
@@ -1987,7 +1985,7 @@ DilloImage *a_Html_image_new(DilloHtml *html, const char *tag,
       h = (int) (CSS_LENGTH_TYPE(l_h) == CSS_LENGTH_TYPE_PX ?
                  CSS_LENGTH_VALUE(l_h) : 0);
    }
-   if (w < 0 || h < 0 || abs(w*h) > MAX_W * MAX_H) {
+   if (w < 0 || h < 0 || abs(w*h) > IMAGE_MAX_W * IMAGE_MAX_H) {
       dFree(width_ptr);
       dFree(height_ptr);
       width_ptr = height_ptr = NULL;
diff --git a/src/image.hh b/src/image.hh
index c1b0e918..8291ffb4 100644
--- a/src/image.hh
+++ b/src/image.hh
@@ -12,6 +12,19 @@ extern "C" {
 #include "bitvec.h"
 #include "url.h"
 
+/*
+ * Defines
+ */
+
+/* Arbitrary maximum for image size (to avoid image size-crafting attacks). */
+#define IMAGE_MAX_W  6000
+#define IMAGE_MAX_H  6000
+
+
+/*
+ * Types
+ */
+
 typedef struct _DilloImage DilloImage;
 
 typedef enum {
diff --git a/src/png.c b/src/png.c
index c1257119..2184dd01 100644
--- a/src/png.c
+++ b/src/png.c
@@ -137,6 +137,12 @@ Png_datainfo_callback(png_structp png_ptr, png_infop info_ptr)
 
    png_get_IHDR(png_ptr, info_ptr, &png->width, &png->height,
                 &bit_depth, &color_type, &interlace_type, NULL, NULL);
+   if (abs(png->width*png->height) > IMAGE_MAX_W * IMAGE_MAX_H) {
+      MSG("Png_datainfo_callback: suspicious image size request %ldx%ld\n",
+          png->width, png->height);
+      Png_error_handling(png_ptr, "Aborting...");
+      return; /* not reached */
+   }
 
    _MSG("Png_datainfo_callback: png->width  = %ld\n"
         "Png_datainfo_callback: png->height = %ld\n",