limit the number of text chunks in PNGs

very large numbers of text chunks can cause high memory use
2021-08-05 12:28:22 +01:00 · 2021-08-05 12:28:22 +01:00 · 5263686511
parent 3d77c6abaa
commit 5263686511
3 changed files with 31 additions and 5 deletions
--- a/1
+++ b/1
@ -1,6 +1,7 @@
 14/7/21 started 8.11.3
 - build threadpool later [kleisauke]
 - add jxlsave prototypes [adil-benameur]
+- limit text chunks in PNGs [randy408]

 15/6/20 started 8.11.2
 - better libdir guessing [remi]
--- a/libvips/foreign/spngload.c
+++ b/libvips/foreign/spngload.c
@ -194,9 +194,11 @@ vips_foreign_load_png_set_text( VipsImage *out,
 	}
 }

-static void
+static int
 vips_foreign_load_png_set_header( VipsForeignLoadPng *png, VipsImage *image )
 {
+	VipsObjectClass *class = VIPS_OBJECT_GET_CLASS( png );
+
 	double xres, yres;
 	struct spng_iccp iccp;
 	struct spng_exif exif;
@ -243,6 +245,15 @@ vips_foreign_load_png_set_header( VipsForeignLoadPng *png, VipsImage *image )
 	if( !spng_get_text( png->ctx, NULL, &n_text ) ) {
 		struct spng_text *text;

+		/* Very large numbers of text chunks are used in DoS
+		 * attacks.
+		 */
+		if( n_text > 10 ) {
+			vips_error( class->nickname, 
+				"%s", _( "too many text chunks" ) );
+			return( -1 );
+		}
+
 		text = VIPS_ARRAY( VIPS_OBJECT( png ), 
 			n_text, struct spng_text );
 		if( !spng_get_text( png->ctx, text, &n_text ) ) {
@ -306,6 +317,8 @@ vips_foreign_load_png_set_header( VipsForeignLoadPng *png, VipsImage *image )
 			vips_image_set_array_double( image, "background", 
 				array, n );
 	}
+
+	return( 0 );
 }

 static int
@ -455,7 +468,8 @@ vips_foreign_load_png_header( VipsForeignLoad *load )

 	vips_source_minimise( png->source );

-	vips_foreign_load_png_set_header( png, load->out );
+	if( vips_foreign_load_png_set_header( png, load->out ) )
+		return( -1 );

 	return( 0 );
 }
@ -569,8 +583,8 @@ vips_foreign_load_png_load( VipsForeignLoad *load )
 		 * buffer, then copy to out.
 		 */
 		t[0] = vips_image_new_memory();
-		vips_foreign_load_png_set_header( png, t[0] );
-		if( vips_image_write_prepare( t[0] ) )
+		if( vips_foreign_load_png_set_header( png, t[0] ) ||
+			vips_image_write_prepare( t[0] ) )
 			return( -1 );

 		if( (error = spng_decode_image( png->ctx, 
@ -591,7 +605,9 @@ vips_foreign_load_png_load( VipsForeignLoad *load )
 	}
 	else {
 		t[0] = vips_image_new();
-		vips_foreign_load_png_set_header( png, t[0] );
+
+		if( vips_foreign_load_png_set_header( png, t[0] ) )
+			return( -1 );

 		/* We can decode these progressively.
 		 */
--- a/libvips/foreign/vipspng.c
+++ b/libvips/foreign/vipspng.c
@ -548,6 +548,15 @@ png2vips_header( Read *read, VipsImage *out )
 		&text_ptr, &num_text ) > 0 ) {
 		int i;

+		/* Very large numbers of text chunks are used in DoS
+		 * attacks.
+		 */
+		if( num_text > 10 ) {
+			vips_error( "vipspng", 
+				"%s", _( "too many text chunks" ) );
+			return( -1 );
+		}
+
 		for( i = 0; i < num_text; i++ ) 
 			/* .text is always a null-terminated C string.
 			 */