bug 255067 reduce max image size to prevent DOS

gfx/src/shared/gfxImageFrame.cpp

@@ -86,6 +86,13 @@ NS_IMETHODIMP gfxImageFrame::Init(nscoord aX, nscoord aY, nscoord aWidth, nscoor
     return NS_ERROR_FAILURE;
   }
 
+  /* reject over-wide or over-tall images */
+  const PRInt32 k64KLimit = 0x0000FFFF;
+  if ( aWidth > k64KLimit || aHeight > k64KLimit ){
+    NS_ERROR("image too big");
+    return NS_ERROR_FAILURE;
+  }
+
   nsresult rv;
 
   mOffset.MoveTo(aX, aY);

gfx/src/windows/nsImageWin.cpp

@@ -130,6 +130,10 @@ nsresult nsImageWin :: Init(PRInt32 aWidth, PRInt32 aHeight, PRInt32 aDepth,nsMa
     return NS_ERROR_UNEXPECTED;
   }
 
+  // limit images to 64k pixels on a side (~55 feet on a 100dpi monitor)
+  const PRInt32 k64KLimit = 0x0000FFFF;
+  if (aWidth > k64KLimit || aHeight > k64KLimit)
+      return NS_ERROR_FAILURE;
 
   if (mNumPaletteColors >= 0){
     // If we have a palette

modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp

@@ -274,7 +274,9 @@ NS_METHOD nsBMPDecoder::ProcessData(const char* aBuffer, PRUint32 aCount)
             CalcBitShift();
         }
         // BMPs with negative width are invalid
-        if (mBIH.width < 0)
+        // Reject extremely wide images to keep the math sane
+        const PRInt32 k64KWidth = 0x0000FFFF;
+        if (mBIH.width < 0 || mBIH.width > k64KWidth)
             return NS_ERROR_FAILURE;
 
         PRUint32 real_height = (mBIH.height > 0) ? mBIH.height : -mBIH.height;