From d1e9237fdaf8a2e5ba5993fbd0efa9a016b4cc6e Mon Sep 17 00:00:00 2001
From: Jorge Arellano Cid <jcid@dillo.org>
Date: Fri, 19 Jun 2009 19:07:47 -0400
Subject: Added image size sanity checks

---
 src/gif.c  |  9 +++++++++
 src/jpeg.c | 10 ++++++++++
 src/png.c  |  2 ++
 3 files changed, 21 insertions(+)

diff --git a/src/gif.c b/src/gif.c
index d048e706..00fbf7eb 100644
--- a/src/gif.c
+++ b/src/gif.c
@@ -812,6 +812,15 @@ static size_t Gif_do_img_desc(DilloGif *gif, void *Buf,
 
    gif->Width   = LM_to_uint(buf[4], buf[5]);
    gif->Height  = LM_to_uint(buf[6], buf[7]);
+
+   /* check max image size */
+   if (gif->Width * gif->Height > IMAGE_MAX_W * IMAGE_MAX_H) {
+      MSG("Gif_do_img_desc: suspicious image size request %ux%u\n",
+          gif->Width, gif->Height);
+      gif->state = 999;
+      return 0;
+   }
+
    gif->linebuf = dMalloc(gif->Width);
 
    a_Dicache_set_parms(gif->url, gif->version, gif->Image,
diff --git a/src/jpeg.c b/src/jpeg.c
index 212b61f6..09bdfb3d 100644
--- a/src/jpeg.c
+++ b/src/jpeg.c
@@ -279,6 +279,16 @@ static void Jpeg_write(DilloJpeg *jpeg, void *Buf, uint_t BufSize)
              !(a_Capi_get_flags(jpeg->url) & CAPI_Completed))
             jpeg->cinfo.buffered_image = TRUE;
 
+         /* check max image size */
+         if ((uint_t)jpeg->cinfo.image_width *
+             (uint_t)jpeg->cinfo.image_height  > IMAGE_MAX_W * IMAGE_MAX_H) {
+            MSG("Jpeg_write: suspicious image size request %ux%u\n",
+                (uint_t)jpeg->cinfo.image_width,
+                (uint_t)jpeg->cinfo.image_height);
+            jpeg->state = DILLO_JPEG_ERROR;
+            return;
+         }
+
          a_Dicache_set_parms(jpeg->url, jpeg->version, jpeg->Image,
                              (uint_t)jpeg->cinfo.image_width,
                              (uint_t)jpeg->cinfo.image_height,
diff --git a/src/png.c b/src/png.c
index 2184dd01..3015f9d2 100644
--- a/src/png.c
+++ b/src/png.c
@@ -137,6 +137,8 @@ Png_datainfo_callback(png_structp png_ptr, png_infop info_ptr)
 
    png_get_IHDR(png_ptr, info_ptr, &png->width, &png->height,
                 &bit_depth, &color_type, &interlace_type, NULL, NULL);
+
+   /* check max image size */
    if (abs(png->width*png->height) > IMAGE_MAX_W * IMAGE_MAX_H) {
       MSG("Png_datainfo_callback: suspicious image size request %ldx%ld\n",
           png->width, png->height);
-- 
cgit v1.2.3