Add checks for sane image sizes in some image loaders (bmp, jpg, tga, png)

Thanks @sfan5 for the original patch (got modified a bit): dbd39120e7
Forum: https://irrlicht.sourceforge.io/forum/viewtopic.php?f=2&t=52819&p=306518
Those are the common formats, but rest of image loaders should also call this some day.

git-svn-id: svn://svn.code.sf.net/p/irrlicht/code/trunk@6387 dfc29bdd-3216-0410-991c-e03cc46cb475
This commit is contained in:
cutealien 2022-05-08 14:42:59 +00:00
parent 72b1522083
commit cfde879801
5 changed files with 23 additions and 3 deletions

@ -1,6 +1,8 @@
-------------------------- --------------------------
Changes in 1.9 (not yet released) Changes in 1.9 (not yet released)
- Add checks for sane image sizes in some image loaders (so far: bmp, jpg, tga, png).
Thanks @sfan5 for the original patch (got modified a bit): https://github.com/minetest/irrlicht/commit/dbd39120e7ed8c0c97e48e2df62347627f3c1d42
- Add IImage::checkDataSizeLimit and make IImage getDataSizeFromFormat return size_t so image loaders can check if sizes are sane. - Add IImage::checkDataSizeLimit and make IImage getDataSizeFromFormat return size_t so image loaders can check if sizes are sane.
- Fix crash with large jpg files. Based somewhat on a patch in Minetest from sfan5 https://github.com/minetest/irrlicht/commit/594de9915346a87f67cd94e28c7933993efb5d3b - Fix crash with large jpg files. Based somewhat on a patch in Minetest from sfan5 https://github.com/minetest/irrlicht/commit/594de9915346a87f67cd94e28c7933993efb5d3b
- COSOperator::getSystemMemory now returns some value on OSX (thought same for total and available). - COSOperator::getSystemMemory now returns some value on OSX (thought same for total and available).

@ -313,6 +313,13 @@ IImage* CImageLoaderBMP::loadImage(io::IReadFile* file) const
dim.Height = header.Height; dim.Height = header.Height;
IImage* image = 0; IImage* image = 0;
if ( !IImage::checkDataSizeLimit( (size_t)header.Width*header.Height*header.BPP) )
{
os::Printer::log("Image dimensions too large for file", file->getFileName(), ELL_WARNING);
goto cleanup;
}
switch(header.BPP) switch(header.BPP)
{ {
case 1: case 1:
@ -348,7 +355,7 @@ IImage* CImageLoaderBMP::loadImage(io::IReadFile* file) const
}; };
// clean up // clean up
cleanup:
delete [] paletteData; delete [] paletteData;
delete [] bmpData; delete [] bmpData;

@ -232,9 +232,11 @@ IImage* CImageLoaderJPG::loadImage(io::IReadFile* file) const
u32 width = cinfo.image_width; u32 width = cinfo.image_width;
u32 height = cinfo.image_height; u32 height = cinfo.image_height;
if ( width > JPEG_MAX_DIMENSION || height > JPEG_MAX_DIMENSION ) if ( width > JPEG_MAX_DIMENSION || height > JPEG_MAX_DIMENSION
|| !IImage::checkDataSizeLimit(IImage::getDataSizeFromFormat(ECF_R8G8B8, width, height))
)
{ {
os::Printer::log("Image dimensions too large for JPG in file", filename, ELL_WARNING); os::Printer::log("Image dimensions too large in file", filename, ELL_ERROR);
longjmp(jerr.setjmp_buffer, 1); longjmp(jerr.setjmp_buffer, 1);
} }

@ -158,6 +158,9 @@ IImage* CImageLoaderPng::loadImage(io::IReadFile* file) const
Height=h; Height=h;
} }
if (!IImage::checkDataSizeLimit((size_t)Width* Height * (BitDepth/8)))
png_cpexcept_error(png_ptr, "Image dimensions too large");
// Convert palette color to true color // Convert palette color to true color
if (ColorType==PNG_COLOR_TYPE_PALETTE) if (ColorType==PNG_COLOR_TYPE_PALETTE)
png_set_palette_to_rgb(png_ptr); png_set_palette_to_rgb(png_ptr);

@ -106,6 +106,12 @@ IImage* CImageLoaderTGA::loadImage(io::IReadFile* file) const
header.ImageHeight = os::Byteswap::byteswap(header.ImageHeight); header.ImageHeight = os::Byteswap::byteswap(header.ImageHeight);
#endif #endif
if (!IImage::checkDataSizeLimit((size_t)header.ImageWidth* header.ImageHeight * (header.PixelDepth/8)))
{
os::Printer::log("Image dimensions too large in file.", file->getFileName(), ELL_ERROR);
return 0;
}
// skip image identification field // skip image identification field
if (header.IdLength) if (header.IdLength)
file->seek(header.IdLength, true); file->seek(header.IdLength, true);