stop JPEG load after 20 warnings
mitigates some DoS attacks somewhat see https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24383
This commit is contained in:
parent
55b857d446
commit
89bd46d1c4
@ -488,6 +488,12 @@ read_jpeg_header( ReadJpeg *jpeg, VipsImage *out )
|
||||
size_t data_length;
|
||||
int i;
|
||||
|
||||
/* Trace level 3 means emit warning messages as they happen. This
|
||||
* lets us spot files with crazy numbers of warnings early and
|
||||
* prevents some DoS attacks.
|
||||
*/
|
||||
jpeg->eman.pub.trace_level = 3;
|
||||
|
||||
/* Read JPEG header. libjpeg will set out_color_space sanely for us
|
||||
* for YUV YCCK etc.
|
||||
*/
|
||||
|
@ -165,6 +165,18 @@
|
||||
void
|
||||
vips__new_output_message( j_common_ptr cinfo )
|
||||
{
|
||||
/* Some DoS attacks use jpg files with thousands of warnings. Try to
|
||||
* limit the effect these have.
|
||||
*/
|
||||
if( cinfo->err->num_warnings >= 20 ) {
|
||||
if( cinfo->err->num_warnings == 20 ) {
|
||||
vips_error( "VipsJpeg",
|
||||
"%s", _( "too many warnings" ) );
|
||||
}
|
||||
|
||||
jpeg_abort( cinfo );
|
||||
}
|
||||
else {
|
||||
char buffer[JMSG_LENGTH_MAX];
|
||||
|
||||
(*cinfo->err->format_message)( cinfo, buffer );
|
||||
@ -174,11 +186,13 @@ vips__new_output_message( j_common_ptr cinfo )
|
||||
printf( "vips__new_output_message: \"%s\"\n", buffer );
|
||||
#endif /*DEBUG*/
|
||||
|
||||
/* This is run for things like file truncated. Signal invalidate to
|
||||
* force this op out of cache.
|
||||
/* This is run for things like file truncated. Signal
|
||||
* invalidate to force this op out of cache.
|
||||
*/
|
||||
if( cinfo->client_data )
|
||||
vips_foreign_load_invalidate( VIPS_IMAGE( cinfo->client_data ) );
|
||||
vips_foreign_load_invalidate(
|
||||
VIPS_IMAGE( cinfo->client_data ) );
|
||||
}
|
||||
}
|
||||
|
||||
/* New error_exit handler.
|
||||
|
Loading…
Reference in New Issue
Block a user