stop JPEG load after 20 warnings

mitigates some DoS attacks somewhat

see https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24383
This commit is contained in:
John Cupitt 2022-04-03 19:21:06 +01:00
parent 55b857d446
commit 89bd46d1c4
2 changed files with 29 additions and 9 deletions

View File

@ -488,6 +488,12 @@ read_jpeg_header( ReadJpeg *jpeg, VipsImage *out )
size_t data_length; size_t data_length;
int i; int i;
/* Trace level 3 means emit warning messages as they happen. This
* lets us spot files with crazy numbers of warnings early and
* prevents some DoS attacks.
*/
jpeg->eman.pub.trace_level = 3;
/* Read JPEG header. libjpeg will set out_color_space sanely for us /* Read JPEG header. libjpeg will set out_color_space sanely for us
* for YUV YCCK etc. * for YUV YCCK etc.
*/ */

View File

@ -165,6 +165,18 @@
void void
vips__new_output_message( j_common_ptr cinfo ) vips__new_output_message( j_common_ptr cinfo )
{ {
/* Some DoS attacks use jpg files with thousands of warnings. Try to
* limit the effect these have.
*/
if( cinfo->err->num_warnings >= 20 ) {
if( cinfo->err->num_warnings == 20 ) {
vips_error( "VipsJpeg",
"%s", _( "too many warnings" ) );
}
jpeg_abort( cinfo );
}
else {
char buffer[JMSG_LENGTH_MAX]; char buffer[JMSG_LENGTH_MAX];
(*cinfo->err->format_message)( cinfo, buffer ); (*cinfo->err->format_message)( cinfo, buffer );
@ -174,11 +186,13 @@ vips__new_output_message( j_common_ptr cinfo )
printf( "vips__new_output_message: \"%s\"\n", buffer ); printf( "vips__new_output_message: \"%s\"\n", buffer );
#endif /*DEBUG*/ #endif /*DEBUG*/
/* This is run for things like file truncated. Signal invalidate to /* This is run for things like file truncated. Signal
* force this op out of cache. * invalidate to force this op out of cache.
*/ */
if( cinfo->client_data ) if( cinfo->client_data )
vips_foreign_load_invalidate( VIPS_IMAGE( cinfo->client_data ) ); vips_foreign_load_invalidate(
VIPS_IMAGE( cinfo->client_data ) );
}
} }
/* New error_exit handler. /* New error_exit handler.