Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PNG decoding relies on output_buffer_size() function that may overflow #2111

Open
Shnatsel opened this issue Jan 16, 2024 · 1 comment
Open

PNG decoding relies on output_buffer_size() function that may overflow #2111

Shnatsel opened this issue Jan 16, 2024 · 1 comment

Comments

@Shnatsel
Copy link
Contributor

This happens in image 0.24.8

Expected

Images with buffer sizes too large for usize rejected early

Actual behaviour

I see PNG decoding code using output_buffer_size() from the PNG crate in multiple places. Looking at its implementation, the computation may silently overflow.

This was recently fixed in GIF in #2103, but PNG seems to be affected too.

I haven't actually tested this - there might be some early check that catches this, but even so the code is fragile.
@fintelia
Copy link
Contributor

fintelia commented Jan 16, 2024
edited

Doesn't seem to impact the main read_image method, but should still be fixed.

If anyone wants to look at resolving this, the total_bytes() method on PngDecoder (via the ImageDecoder trait) returns the same value, but as a u64 and computed with saturating multiplies so it doesn't overflow.

@Shnatsel Shnatsel mentioned this issue Jan 16, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Shnatsel @fintelia