limit jxlload image size

We were not checking the reported image size against VIPS_MAX_COORD, leading to some glib out-of-range errors downstream.
2021-05-08 15:25:53 +01:00 · 2021-05-08 15:25:53 +01:00 · 0d7dd3be7c
commit 0d7dd3be7c
parent 37988cef83
5 changed files with 15 additions and 6 deletions
--- a/libvips/foreign/jxlload.c
+++ b/libvips/foreign/jxlload.c
@ -383,9 +383,18 @@ vips_foreign_load_jxl_process( VipsForeignLoadJxl *jxl )
 static int
 vips_foreign_load_jxl_set_header( VipsForeignLoadJxl *jxl, VipsImage *out )
 {
+	VipsObjectClass *class = VIPS_OBJECT_GET_CLASS( jxl );
+
 	VipsBandFormat format;
 	VipsInterpretation interpretation;

+	if( jxl->info.xsize >= VIPS_MAX_COORD || 
+		jxl->info.ysize >= VIPS_MAX_COORD ) {
+		vips_error( class->nickname, 
+			"%s", _( "image size out of bounds" ) );
+		return( -1 );
+	}
+
 	switch( jxl->format.data_type ) {
 	case JXL_TYPE_UINT8:
 		format = VIPS_FORMAT_UCHAR;
--- a/libvips/foreign/niftisave.c
+++ b/libvips/foreign/niftisave.c
@ -174,7 +174,7 @@ vips_foreign_save_nifti_set_dims( const char *name,
 		vips_snprintf( vips_name, 256, "nifti-%s", name );
 		if( vips_image_get_int( info->image, vips_name, &i ) ||
 			i <= 0 ||
-			i > VIPS_MAX_COORD ) 
+			i >= VIPS_MAX_COORD ) 
 			return( info );
 		info->dims[info->n] = i;
 	}
--- a/libvips/foreign/radiance.c
+++ b/libvips/foreign/radiance.c
@ -861,9 +861,9 @@ rad2vips_get_header( Read *read, VipsImage *out )
 	width = scanlen( &read->rs );
 	height = numscans( &read->rs );
 	if( width <= 0 || 
-		width > VIPS_MAX_COORD ||
+		width >= VIPS_MAX_COORD ||
 		height <= 0 || 
-		height > VIPS_MAX_COORD ) {
+		height >= VIPS_MAX_COORD ) {
 		vips_error( "rad2vips", "%s", _( "image size out of bounds" ) );
 		return( -1 );
 	}
--- a/libvips/foreign/tiff2vips.c
+++ b/libvips/foreign/tiff2vips.c
@ -2515,9 +2515,9 @@ rtiff_header_read( Rtiff *rtiff, RtiffHeader *header )
 	/* Arbitrary sanity-checking limits.
 	 */
 	if( header->width <= 0 ||
-		header->width > VIPS_MAX_COORD ||
+		header->width >= VIPS_MAX_COORD ||
 		header->height <= 0 ||
-		header->height > VIPS_MAX_COORD ) {
+		header->height >= VIPS_MAX_COORD ) {
 		vips_error( "tiff2vips",
 			"%s", _( "width/height out of range" ) );
 		return( -1 );
--- a/libvips/foreign/webp2vips.c
+++ b/libvips/foreign/webp2vips.c
@ -523,7 +523,7 @@ read_header( Read *read, VipsImage *out )
 	if( read->width <= 0 ||
 		read->height <= 0 ||
 		read->width > 0x3FFF ||
-		read->height > VIPS_MAX_COORD ||
+		read->height >= VIPS_MAX_COORD ||
 		read->frame_width <= 0 ||
 		read->frame_height <= 0 ||
 		read->frame_width > 0x3FFF ||