aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/gif.c9
-rw-r--r--src/jpeg.c10
-rw-r--r--src/png.c2
3 files changed, 21 insertions, 0 deletions
diff --git a/src/gif.c b/src/gif.c
index d048e706..00fbf7eb 100644
--- a/src/gif.c
+++ b/src/gif.c
@@ -812,6 +812,15 @@ static size_t Gif_do_img_desc(DilloGif *gif, void *Buf,
gif->Width = LM_to_uint(buf[4], buf[5]);
gif->Height = LM_to_uint(buf[6], buf[7]);
+
+ /* check max image size */
+ if (gif->Width * gif->Height > IMAGE_MAX_W * IMAGE_MAX_H) {
+ MSG("Gif_do_img_desc: suspicious image size request %ux%u\n",
+ gif->Width, gif->Height);
+ gif->state = 999;
+ return 0;
+ }
+
gif->linebuf = dMalloc(gif->Width);
a_Dicache_set_parms(gif->url, gif->version, gif->Image,
diff --git a/src/jpeg.c b/src/jpeg.c
index 212b61f6..09bdfb3d 100644
--- a/src/jpeg.c
+++ b/src/jpeg.c
@@ -279,6 +279,16 @@ static void Jpeg_write(DilloJpeg *jpeg, void *Buf, uint_t BufSize)
!(a_Capi_get_flags(jpeg->url) & CAPI_Completed))
jpeg->cinfo.buffered_image = TRUE;
+ /* check max image size */
+ if ((uint_t)jpeg->cinfo.image_width *
+ (uint_t)jpeg->cinfo.image_height > IMAGE_MAX_W * IMAGE_MAX_H) {
+ MSG("Jpeg_write: suspicious image size request %ux%u\n",
+ (uint_t)jpeg->cinfo.image_width,
+ (uint_t)jpeg->cinfo.image_height);
+ jpeg->state = DILLO_JPEG_ERROR;
+ return;
+ }
+
a_Dicache_set_parms(jpeg->url, jpeg->version, jpeg->Image,
(uint_t)jpeg->cinfo.image_width,
(uint_t)jpeg->cinfo.image_height,
diff --git a/src/png.c b/src/png.c
index 2184dd01..3015f9d2 100644
--- a/src/png.c
+++ b/src/png.c
@@ -137,6 +137,8 @@ Png_datainfo_callback(png_structp png_ptr, png_infop info_ptr)
png_get_IHDR(png_ptr, info_ptr, &png->width, &png->height,
&bit_depth, &color_type, &interlace_type, NULL, NULL);
+
+ /* check max image size */
if (abs(png->width*png->height) > IMAGE_MAX_W * IMAGE_MAX_H) {
MSG("Png_datainfo_callback: suspicious image size request %ldx%ld\n",
png->width, png->height);