You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Images with buffer sizes too large for usize rejected early
Actual behaviour
I see PNG decoding code using output_buffer_size() from the PNG crate in multiple places. Looking at its implementation, the computation may silently overflow.
This was recently fixed in GIF in #2103, but PNG seems to be affected too.
I haven't actually tested this - there might be some early check that catches this, but even so the code is fragile.
The text was updated successfully, but these errors were encountered:
Doesn't seem to impact the main read_image method, but should still be fixed.
If anyone wants to look at resolving this, the total_bytes() method on PngDecoder (via the ImageDecoder trait) returns the same value, but as a u64 and computed with saturating multiplies so it doesn't overflow.
This happens in image 0.24.8
Expected
Images with buffer sizes too large for
usize
rejected earlyActual behaviour
I see PNG decoding code using
output_buffer_size()
from the PNG crate in multiple places. Looking at its implementation, the computation may silently overflow.This was recently fixed in GIF in #2103, but PNG seems to be affected too.
I haven't actually tested this - there might be some early check that catches this, but even so the code is fragile.
The text was updated successfully, but these errors were encountered: