Merge branch '8.11'

ChangeLog

@@ -6,6 +6,8 @@
 
 14/7/21 started 8.11.3
 - build threadpool later [kleisauke]
+- add jxlsave prototypes [adil-benameur]
+- limit text chunks in PNGs [randy408]
 
 15/6/20 started 8.11.2
 - better libdir guessing [remi]

libvips/foreign/heifload.c

@@ -445,6 +445,13 @@ vips_foreign_load_heif_set_header( VipsForeignLoadHeif *heif, VipsImage *out )
 	if( vips_foreign_load_heif_set_page( heif, heif->page, FALSE ) )
 		return( -1 );
 
+	/* Verify dimensions
+	 */
+	if ( heif->page_width < 1 || heif->page_height < 1 ) {
+		vips_error( "heifload", "%s", _( "bad dimensions" ) );
+		return( -1 );
+	}
+
 	heif->has_alpha = heif_image_handle_has_alpha_channel( heif->handle );
 #ifdef DEBUG
 	printf( "heif_image_handle_has_alpha_channel() = %d\n", 

libvips/foreign/spngload.c

@@ -194,9 +194,11 @@ vips_foreign_load_png_set_text( VipsImage *out,
 	}
 }
 
-static void
+static int
 vips_foreign_load_png_set_header( VipsForeignLoadPng *png, VipsImage *image )
 {
+	VipsObjectClass *class = VIPS_OBJECT_GET_CLASS( png );
+
 	double xres, yres;
 	struct spng_iccp iccp;
 	struct spng_exif exif;
@@ -244,6 +246,15 @@ vips_foreign_load_png_set_header( VipsForeignLoadPng *png, VipsImage *image )
 	if( !spng_get_text( png->ctx, NULL, &n_text ) ) {
 		struct spng_text *text;
 
+		/* Very large numbers of text chunks are used in DoS
+		 * attacks.
+		 */
+		if( n_text > 10 ) {
+			vips_error( class->nickname, 
+				"%s", _( "too many text chunks" ) );
+			return( -1 );
+		}
+
 		text = VIPS_ARRAY( VIPS_OBJECT( png ), 
 			n_text, struct spng_text );
 		if( !spng_get_text( png->ctx, text, &n_text ) ) {
@@ -307,6 +318,8 @@ vips_foreign_load_png_set_header( VipsForeignLoadPng *png, VipsImage *image )
 			vips_image_set_array_double( image, "background", 
 				array, n );
 	}
+
+	return( 0 );
 }
 
 static int
@@ -456,7 +469,8 @@ vips_foreign_load_png_header( VipsForeignLoad *load )
 
 	vips_source_minimise( png->source );
 
-	vips_foreign_load_png_set_header( png, load->out );
+	if( vips_foreign_load_png_set_header( png, load->out ) )
+		return( -1 );
 
 	return( 0 );
 }
@@ -570,8 +584,8 @@ vips_foreign_load_png_load( VipsForeignLoad *load )
 		 * buffer, then copy to out.
 		 */
 		t[0] = vips_image_new_memory();
-		vips_foreign_load_png_set_header( png, t[0] );
-		if( vips_image_write_prepare( t[0] ) )
+		if( vips_foreign_load_png_set_header( png, t[0] ) ||
+			vips_image_write_prepare( t[0] ) )
 			return( -1 );
 
 		if( (error = spng_decode_image( png->ctx, 
@@ -592,7 +606,9 @@ vips_foreign_load_png_load( VipsForeignLoad *load )
 	}
 	else {
 		t[0] = vips_image_new();
-		vips_foreign_load_png_set_header( png, t[0] );
+
+		if( vips_foreign_load_png_set_header( png, t[0] ) )
+			return( -1 );
 
 		/* We can decode these progressively.
 		 */

libvips/foreign/tiff2vips.c

@@ -2565,8 +2565,6 @@ rtiff_header_read( Rtiff *rtiff, RtiffHeader *header )
 	 */
 	header->tiled = TIFFIsTiled( rtiff->tiff );
 
-
-
 #ifdef DEBUG
 	printf( "rtiff_header_read: header.width = %d\n", 
 		header->width );

libvips/foreign/vipspng.c

@@ -551,6 +551,15 @@ png2vips_header( Read *read, VipsImage *out )
 		&text_ptr, &num_text ) > 0 ) {
 		int i;
 
+		/* Very large numbers of text chunks are used in DoS
+		 * attacks.
+		 */
+		if( num_text > 10 ) {
+			vips_error( "vipspng", 
+				"%s", _( "too many text chunks" ) );
+			return( -1 );
+		}
+
 		for( i = 0; i < num_text; i++ ) 
 			/* .text is always a null-terminated C string.
 			 */