From ea39eadbee4b4eac87effdf5de70af25a850bc35 Mon Sep 17 00:00:00 2001 From: "dveditz%cruzio.com" Date: Fri, 27 Aug 2004 10:34:14 +0000 Subject: [PATCH] bug 255067 reduce max image size to prevent DOS --- gfx/src/shared/gfxImageFrame.cpp | 7 +++++++ gfx/src/windows/nsImageWin.cpp | 4 ++++ modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp | 4 +++- 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/gfx/src/shared/gfxImageFrame.cpp b/gfx/src/shared/gfxImageFrame.cpp index 8932e9a33d9..116a8aeca80 100644 --- a/gfx/src/shared/gfxImageFrame.cpp +++ b/gfx/src/shared/gfxImageFrame.cpp @@ -86,6 +86,13 @@ NS_IMETHODIMP gfxImageFrame::Init(nscoord aX, nscoord aY, nscoord aWidth, nscoor return NS_ERROR_FAILURE; } + /* reject over-wide or over-tall images */ + const PRInt32 k64KLimit = 0x0000FFFF; + if ( aWidth > k64KLimit || aHeight > k64KLimit ){ + NS_ERROR("image too big"); + return NS_ERROR_FAILURE; + } + nsresult rv; mOffset.MoveTo(aX, aY); diff --git a/gfx/src/windows/nsImageWin.cpp b/gfx/src/windows/nsImageWin.cpp index cc54b9cda01..866001e581a 100644 --- a/gfx/src/windows/nsImageWin.cpp +++ b/gfx/src/windows/nsImageWin.cpp @@ -130,6 +130,10 @@ nsresult nsImageWin :: Init(PRInt32 aWidth, PRInt32 aHeight, PRInt32 aDepth,nsMa return NS_ERROR_UNEXPECTED; } + // limit images to 64k pixels on a side (~55 feet on a 100dpi monitor) + const PRInt32 k64KLimit = 0x0000FFFF; + if (aWidth > k64KLimit || aHeight > k64KLimit) + return NS_ERROR_FAILURE; if (mNumPaletteColors >= 0){ // If we have a palette diff --git a/modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp b/modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp index 19e47012c6d..d85845664a6 100644 --- a/modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp +++ b/modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp @@ -274,7 +274,9 @@ NS_METHOD nsBMPDecoder::ProcessData(const char* aBuffer, PRUint32 aCount) CalcBitShift(); } // BMPs with negative width are invalid - if (mBIH.width < 0) + // Reject extremely wide images to keep the math sane + const PRInt32 k64KWidth = 0x0000FFFF; + if (mBIH.width < 0 || mBIH.width > k64KWidth) return NS_ERROR_FAILURE; PRUint32 real_height = (mBIH.height > 0) ? mBIH.height : -mBIH.height;